SlideShare a Scribd company logo
2017 CROWDSTRIKE, INC. ALL RIGHTS RESERVED.
BEAR HUNTING:
HISTORY AND ATTRIBUTION
OF RUSSIAN INTELLIGENCE OPERATIONS
DMITRI ALPEROVITCH, CTO
ADAM MEYERS, VP INTEL
DMITRI
ALPEROVITCH
§ Co-Founder & CTO, CrowdStrike
§ Former VP Threat Research, McAfee
§ Author of Operation Aurora,
Night Dragon, Shady RAT reports
§ MIT Tech Review’s Top 35 Innovator
Under 35 for 2013
§ Foreign Policy’s Top 100 Leading
Global Thinkers for 2013
§ Politico’s Top 50 in 2016
A LITTLE ABOUT ME:
ADAM MEYERS
§ VP of Intelligence, CrowdStrike
§ +15 years security experience
§ Extensive experience building and leading
intelligence practices in both the public and
private sector
§ Sought-after thought leader: conducts speaking
engagements & training classes on threat
intelligence, reverse engineering, and data breach
investigations
A LITTLE ABOUT ME:
Cloud Delivered Endpoint Protection
MANAGED
HUNTING
ENDPOINT DETECTION
AND RESPONSE
NEXT-GEN
ANTIVIRUS
CrowdStrike is the only security technology provider to unify next-gen AV and EDR into a
single agent, backed by 24/7 proactive threat hunting – all delivered in via the cloud
2017 CROWDSTRIKE, INC. ALL RIGHTS RESERVED.
DEMOCRATIC
NATIONAL
COMMITTEEQuick refresher on why everyone now cares about
Russian intrusion operations
2017 CROWDSTRIKE, INC. ALL RIGHTS RESERVED.
ORDER OF EVENTS:
§ DNC hires CrowdStrike for Compromise
Assessment of their corporate network at
the end of April 2016
§ CrowdStrike deployed Falcon Host endpoint
technology in early May 2016 and
immediately identified evidence of
intrusions by two separate actors - COZY
BEAR and FANCY BEAR.
§ Forensic analysis uncovered evidence of
compromise by FANCY BEAR in mid April
2016 and COZY BEAR in the summer of 2015
§ Remediation efforts to remove adversary
from DNC corporate network was conducted
in early July 2016.
2017 CROWDSTRIKE, INC. ALL RIGHTS RESERVED.
"You know, comrades, that I think in regard to this:
I consider it completely unimportant who in the party
will vote, or how;but what is extraordinarily important is
this — who will count the votes, and how."
Joseph Stalin, 1923
Source: The Memoirs of Stalin's Former Secretary (1992)
THE BEGINNING: ОХРАНКА
2017 CROWDSTRIKE, INC. ALL RIGHTS RESERVED.
1860s:
Political Terror
in Russia
1900s:
1917:
Formation of Cheka
(NKVD, MGB, KGB,
FSB)
FSB 1st Main Department
(Foreign Intelligence),
Service “A”:
Active Measures
(Дезинформация)
1918:
Formation
of GRU
RECENT HISTORY: КОМПРОМАТ
2017 CROWDSTRIKE, INC. ALL RIGHTS RESERVED.
1999:
’Man, who looks
like Attorney
General’
2014:
Colonel Ilyushin of GRU
caught collecting personal
kompromat on President
Hollande
2010:
Sex Tapes with Katya
2016:
Lisa Affair
2014:
March: CyberBerkut
launch (prior to Crimea)
Feb 2014: Klichko party email leaks
MANIPULATING ELECTIONS
2017 CROWDSTRIKE, INC. ALL RIGHTS RESERVED.
May 2014: Presidential Election in Ukraine
Destructive Attack against Ukranian Election Commission
CyberBerkut DDoSes Ukranian Election Website
Russian TV shows doctored election results
CyberBerkut DDoSes Ukranian Election Website
October 2014: Parliamentary Election in Ukraine
CyberBerkut Hacks Election Billboards in Kiev
2017 CROWDSTRIKE, INC. ALL RIGHTS RESERVED.
• Intelligence powers
everything we do
• All Source methodology
• Adversary profiling and
campaign tracking
• Human analysis coupled with
platform automation
• Intelligence consumable by
human decision makers and
enterprise systems
CrowdStrike
Intelligence
RUSSIA
INTRUSION
ACTORS
Berserk	Bear	
Boulder	Bear		
Cozy	Bear		
Energetic	Bear			
Fancy	Bear
Team	Bear
Venomous	Bear
Voodoo	Bear
2017 CROWDSTRIKE, INC. ALL RIGHTS RESERVED.
RUSSIAN INTELLIGENCE SERVICES
Sergey Shoygu
Minister of Defense
Lieutenant General
Igor Korobov
Director of GRU
Sergey Naryshkin
Director SVR
Alexander Bortnikov
Director FSB
2017 CROWDSTRIKE, INC. ALL RIGHTS RESERVED.
RUSSIAN INTERESTS - TODAY
§ Political Dissidents/Trouble
Makers
§ Terrorists
§ Spies
§ The Near Abroad/CIS
§ NATO/Europe
§ Elections
§ Energy/Trade
§ China
§ Ukraine
§ Syria
§ Turkey
§ Sports/Doping/World Cup
2017 CROWDSTRIKE, INC. ALL RIGHTS RESERVED.
CAPABILITIES AND
INTENTIONS
Understanding the adversary
§ OSS created Research and Analysis
Branch in 1942, OSINT on adversary
news and publications provides
invaluable intel
§ General Valery Gerasimov published:
“The Value of Science Is in the Foresight: New
Challenges Demand Rethinking the Forms and
Methods of Carrying out Combat Operations”
§ Hybrid War for Regime Change
§ Step 1: Cause dissent (media, cyber,
activists, little green men)
§ Step 2: Sanctions due to instability or
oppressive actions
§ Step 3: Military force sent in to restore
order
§ Step 4: New leadership/regime
2017 CROWDSTRIKE, INC. ALL RIGHTS RESERVED.
Obtain better outcomes using the interwebs
CYBER GERASIMOV
§ Leverage/Incite dissident hackers in the target country
§ If none exist – Make one up ¯_(ツ)_/¯
§ DDoS attacks to disrupt infrastructure and cause panic/confusion
§ Hack media and plant fake articles
§ DOX political targets
§ Use army of trolls to build base
§ Create confusion/fear/panic
2017 CROWDSTRIKE, INC. ALL RIGHTS RESERVED.
2017 CROWDSTRIKE, INC. ALL RIGHTS RESERVED.
§ November 24 2015 – Turkish F-16 shoots
down Russian SU-24 operating in Syria AO
§ November 27 2015 – First DDoS attacks
against Turkish targets detected
§ December 18 2015 – FSB raids Turkish banks
on suspicion of money laundering, at the
same time DDoS observed against Turkish
Banks
§ January 2016 DDOS against Ministry of
Transportation, the Russian Postal System,
the Federal Security Service (FSB), and the
Central Bank of Russia.
ATTACKS AGAINST
TURKEY
Following the downing of SU-24 FENCER
2017 CROWDSTRIKE, INC. ALL RIGHTS RESERVED.
§ March 2016 – BERSERK BEAR targeting of European
Energy Company aligns with downing of SU-24 Fencer
§ April 2016 - The Turkish Central Population
Management System, MERNIS experiences data leak
of 50 million records
§ May 2016 - multiple hospitals in Turkey’s Diyarbakir
province were affected by a cyber attack with
questionable attribution claims
§ July 2016- BERSERK BEAR targeted a website
belonging to a non-governmental organization (NGO)
within Turkey. The targeted NGO is focused on the
development of commerce between Turkish and
European Union (EU) interests
§ July 2016 – Attempted Coup against Turkish
President Recep Tayyip Erdoğan
ATTACKS AGAINST
TURKEY
Following the downing of SU-24 FENCER
2017 CROWDSTRIKE, INC. ALL RIGHTS RESERVED.
FANCY BEAR
§ Targeting: Geopolitical Targets of
Interest to Russia, Military/Defense
Technologies, Media
§ Tactics/Techniques/Procedures:
Multiple 0-day such as CVE-2015-7645,
Custom cross platform
implants/Downloaders
Xagent/Downrage/etc, Phishing using
domains similar to target mail server,
Spear Phishing
§ Also Known As: APT28, Sofacy, Tsar
Team, Sednit
2017 CROWDSTRIKE, INC. ALL RIGHTS RESERVED.
DANGER CLOSE
The case of Ukraine Artillery
§ During routine hunting conducted by
CrowdStrike researchers, Попр-Д30.apk
was identified containing X-Agent
remote access capabilities
§ Analysis reveals The filename Попр-
Д30.apk is mentioned on a Ukrainian
file-sharing forum in December 2014
§ The benign Попр-Д30 application
assists with ballistic computations in
support of the D-30 122mm Howitzer
§ The D-30 used by Ukrainian
government forces during the same
time frame the app was in circulation.
2017 CROWDSTRIKE, INC. ALL RIGHTS RESERVED.
X-AGENT ANDROID
Analysis of capabilities
§ The app requires an activation step that is
authorized by a Ukrainian individual and
requires interacting with the individual via
a separate communication channel
§ The registration with a Ukrainian individual
indicates the app is most likely intended to
be used by Ukrainian forces only.
§ Permissions Requested:
§ READ_CONTACTS
§ READ_SMS
§ GET_ACCOUNTS
§ INTERNET
§ ACCESS_NETWORK_STATE
§ ACCESS_WIFI_STATE
§ READ_PHONE_STATE
§ CHANGE_NETWORK_STATE
§ ACCESS_COARSE_LOCATION
§ WAKE_LOCK
§ READ_CALL_LOG
2017 CROWDSTRIKE, INC. ALL RIGHTS RESERVED.
X-AGENT ANDROIDAnalysis of capabilities
2017 CROWDSTRIKE, INC. ALL RIGHTS RESERVED.
Command Description
100 Retrieve	SMS	history and	details
101 Reconnaissance	of	device
102 Retrieve	call	history	details
104 Retrieve contact	details
106 Retrieve	installed	app	details
107 Retrieve	Wifi Details
109 Retrieve	browser	history and	
bookmarks
110 Retrieve	data	usage	details
111 List	Files/Folders on	Storage
112 Exfiltrate specified	File
SIDE BY SIDE
§ Left is unmodified
Попр-Д30.apk as deployed
by author
§ Right is Попр-Д30.apk
containing additional classes
with X-Agent Implant
2017 CROWDSTRIKE, INC. ALL RIGHTS RESERVED.
CRYPTOGRAPHIC OVERLAP
§ RC4 key used by X-agent is 50 bytes, Linux X-Agent identified with 46 identical
bytes
§ RC4 Key from X-agent Попр-Д30.apk Android Implant:
3B C6 73 0F 8B 07 85 C0 74 02 FF CC DE C7 04 3B FE 72 F1 5F 5E C3 8B FF 56 B8 D8 78 75 07
50 E8 B1 D1 FA FE 59 5D C3 8B FF 55 8B EC 83 EC 10 A1 33 35
§ RC4 Key from X-agent Linux Implant:
3B C6 73 0F 8B 07 85 C0 74 02 FF D0 83 C7 04 3B FE 72 F1 5F 5E C3 8B FF 56 B8 D8 78 75 07
50 E8 B1 D1 FF FF 59 5D C3 8B FF 55 8B EC 83 EC 10 A1 33 35
2017 CROWDSTRIKE, INC. ALL RIGHTS RESERVED.
SIDE BY SIDE C2 PROTOCOL ARTIFACTS
§ Command and Control protocol
across X-Agent is consistent
§ Left C2 Artifacts from a Windows X-
Agent implant
§ Right C2 Artifacts from Попр-Д30.apk
Android Implant
2017 CROWDSTRIKE, INC. ALL RIGHTS RESERVED.
CONNECTING THE DOTS
2017 CROWDSTRIKE, INC. ALL RIGHTS RESERVED.
C2 Server
69.90.132.215
previously tied to
domain associated
with Fancy Bear
DownRage
TIMELINE
§ 20 February 2013 to 13 April 2013 tool marks indicate the
development of the legitimate version of Попр-Д30.apk
§ November 2013 Euromaidan
§ February 2014 President Yanukovych flees Ukraine
§ March 2014 Annexation of Crimea
§ Spring 2014 Pro-Russian separatists in the eastern
Ukraine declare independence
§ Summer of 2014 Ukrainian forces begin initiative to
retake territory claimed by separatists
§ MH17 Downed
§ February 2015 Cease fire signed which will be routinely
violated
2017 CROWDSTRIKE, INC. ALL RIGHTS RESERVED.
FREQUENTLY ASKED QUESTIONS
§ Is the X-Agent source code In The Wild?
§ We have not identified any public sources of the X-agent code
§ How could the source code be obtained?
§ For linux variants of X-agent the source is typically deployed to the target system to build the
kernel drivres required, forensic investigation may permit the recovery
§ Did the malicious APK use GPS?
§ No, in the report we reference Gross Positional Data which is uses cellular (Coarse) position
§ Did the malicious APK bypass the activation by the developer?
§ No, regardless of whether the APK was the original or modified the author would still provide
access codes without knowing if the application was tampered with
§ What evidence is there that the malicious APK was used by Ukrainian military?
§ The APK was available on Ukrainian file sharing forums
§ Were D-30 122mm howitzers destroyed as a result of the APK?
§ We do not know, based on publicly available data there is evidence suggesting a
disproportionate loss of D-30 by Ukrainian forces
2017 CROWDSTRIKE, INC. ALL RIGHTS RESERVED.
Upcoming CrowdCast:
Thursday, January 12
Cloud-Enabled: The Future of Endpoint Security
Contact Us
Email: crowdcasts@crowdstrike.com
Twitter: @CrowdStrike

More Related Content

What's hot

MITRE ATT&CKcon 2.0: AMITT - ATT&CK-based Standards for Misinformation Threat...
MITRE ATT&CKcon 2.0: AMITT - ATT&CK-based Standards for Misinformation Threat...MITRE ATT&CKcon 2.0: AMITT - ATT&CK-based Standards for Misinformation Threat...
MITRE ATT&CKcon 2.0: AMITT - ATT&CK-based Standards for Misinformation Threat...
MITRE - ATT&CKcon
 
B1-4 送信ドメイン認証・暗号化 DeepDive ~ DMARCから MTA-STS, DANEまで全部PASSさせるまでの道のり
B1-4 送信ドメイン認証・暗号化 DeepDive ~ DMARCから MTA-STS, DANEまで全部PASSさせるまでの道のりB1-4 送信ドメイン認証・暗号化 DeepDive ~ DMARCから MTA-STS, DANEまで全部PASSさせるまでの道のり
B1-4 送信ドメイン認証・暗号化 DeepDive ~ DMARCから MTA-STS, DANEまで全部PASSさせるまでの道のり
JPAAWG (Japan Anti-Abuse Working Group)
 
How to Replace Your Legacy Antivirus Solution with CrowdStrike
How to Replace Your Legacy Antivirus Solution with CrowdStrikeHow to Replace Your Legacy Antivirus Solution with CrowdStrike
How to Replace Your Legacy Antivirus Solution with CrowdStrike
CrowdStrike
 
State of Endpoint Security: The Buyers Mindset
State of Endpoint Security: The Buyers MindsetState of Endpoint Security: The Buyers Mindset
State of Endpoint Security: The Buyers Mindset
CrowdStrike
 
Proactive Threat Hunting: Game-Changing Endpoint Protection Beyond Alerting
Proactive Threat Hunting: Game-Changing Endpoint Protection Beyond AlertingProactive Threat Hunting: Game-Changing Endpoint Protection Beyond Alerting
Proactive Threat Hunting: Game-Changing Endpoint Protection Beyond Alerting
CrowdStrike
 
Battling Unknown Malware with Machine Learning
Battling Unknown Malware with Machine Learning Battling Unknown Malware with Machine Learning
Battling Unknown Malware with Machine Learning
CrowdStrike
 
Understanding Fileless (or Non-Malware) Attacks and How to Stop Them
Understanding Fileless (or Non-Malware) Attacks and How to Stop ThemUnderstanding Fileless (or Non-Malware) Attacks and How to Stop Them
Understanding Fileless (or Non-Malware) Attacks and How to Stop Them
CrowdStrike
 
What is ATT&CK coverage, anyway? Breadth and depth analysis with Atomic Red Team
What is ATT&CK coverage, anyway? Breadth and depth analysis with Atomic Red TeamWhat is ATT&CK coverage, anyway? Breadth and depth analysis with Atomic Red Team
What is ATT&CK coverage, anyway? Breadth and depth analysis with Atomic Red Team
MITRE ATT&CK
 
Leveraging MITRE ATT&CK - Speaking the Common Language
Leveraging MITRE ATT&CK - Speaking the Common LanguageLeveraging MITRE ATT&CK - Speaking the Common Language
Leveraging MITRE ATT&CK - Speaking the Common Language
Erik Van Buggenhout
 
AdServerの仕組み
AdServerの仕組みAdServerの仕組み
AdServerの仕組みEiji Kuroda
 
Security Operations, MITRE ATT&CK, SOC Roles / Competencies
Security Operations, MITRE ATT&CK, SOC Roles / Competencies Security Operations, MITRE ATT&CK, SOC Roles / Competencies
Security Operations, MITRE ATT&CK, SOC Roles / Competencies
Harry McLaren
 
20210127 今日から始めるイベントドリブンアーキテクチャ AWS Expert Online #13
20210127 今日から始めるイベントドリブンアーキテクチャ AWS Expert Online #1320210127 今日から始めるイベントドリブンアーキテクチャ AWS Expert Online #13
20210127 今日から始めるイベントドリブンアーキテクチャ AWS Expert Online #13
Amazon Web Services Japan
 
Tracking Noisy Behavior and Risk-Based Alerting with ATT&CK
Tracking Noisy Behavior and Risk-Based Alerting with ATT&CKTracking Noisy Behavior and Risk-Based Alerting with ATT&CK
Tracking Noisy Behavior and Risk-Based Alerting with ATT&CK
MITRE ATT&CK
 
Threat Hunting Procedures and Measurement Matrice
Threat Hunting Procedures and Measurement MatriceThreat Hunting Procedures and Measurement Matrice
Threat Hunting Procedures and Measurement Matrice
Vishal Kumar
 
Wannacry | Technical Insight and Lessons Learned
Wannacry | Technical Insight and Lessons LearnedWannacry | Technical Insight and Lessons Learned
Wannacry | Technical Insight and Lessons Learned
Thomas Roccia
 
IDC - Blockchain Threat Model
IDC - Blockchain Threat ModelIDC - Blockchain Threat Model
IDC - Blockchain Threat Model
PeteLind
 
Projects to Impact- Operationalizing Work from the Center
Projects to Impact- Operationalizing Work from the CenterProjects to Impact- Operationalizing Work from the Center
Projects to Impact- Operationalizing Work from the Center
MITRE ATT&CK
 
Slide pros and cons
Slide pros and consSlide pros and cons
Slide pros and cons
abraxas69
 
Black Belt Online Seminar AWS上の暗号化ソリューション
Black Belt Online Seminar AWS上の暗号化ソリューションBlack Belt Online Seminar AWS上の暗号化ソリューション
Black Belt Online Seminar AWS上の暗号化ソリューション
Amazon Web Services Japan
 
zabbixを使ったクラウド環境の監視とツール連携
zabbixを使ったクラウド環境の監視とツール連携zabbixを使ったクラウド環境の監視とツール連携
zabbixを使ったクラウド環境の監視とツール連携
NHN テコラス株式会社
 

What's hot (20)

MITRE ATT&CKcon 2.0: AMITT - ATT&CK-based Standards for Misinformation Threat...
MITRE ATT&CKcon 2.0: AMITT - ATT&CK-based Standards for Misinformation Threat...MITRE ATT&CKcon 2.0: AMITT - ATT&CK-based Standards for Misinformation Threat...
MITRE ATT&CKcon 2.0: AMITT - ATT&CK-based Standards for Misinformation Threat...
 
B1-4 送信ドメイン認証・暗号化 DeepDive ~ DMARCから MTA-STS, DANEまで全部PASSさせるまでの道のり
B1-4 送信ドメイン認証・暗号化 DeepDive ~ DMARCから MTA-STS, DANEまで全部PASSさせるまでの道のりB1-4 送信ドメイン認証・暗号化 DeepDive ~ DMARCから MTA-STS, DANEまで全部PASSさせるまでの道のり
B1-4 送信ドメイン認証・暗号化 DeepDive ~ DMARCから MTA-STS, DANEまで全部PASSさせるまでの道のり
 
How to Replace Your Legacy Antivirus Solution with CrowdStrike
How to Replace Your Legacy Antivirus Solution with CrowdStrikeHow to Replace Your Legacy Antivirus Solution with CrowdStrike
How to Replace Your Legacy Antivirus Solution with CrowdStrike
 
State of Endpoint Security: The Buyers Mindset
State of Endpoint Security: The Buyers MindsetState of Endpoint Security: The Buyers Mindset
State of Endpoint Security: The Buyers Mindset
 
Proactive Threat Hunting: Game-Changing Endpoint Protection Beyond Alerting
Proactive Threat Hunting: Game-Changing Endpoint Protection Beyond AlertingProactive Threat Hunting: Game-Changing Endpoint Protection Beyond Alerting
Proactive Threat Hunting: Game-Changing Endpoint Protection Beyond Alerting
 
Battling Unknown Malware with Machine Learning
Battling Unknown Malware with Machine Learning Battling Unknown Malware with Machine Learning
Battling Unknown Malware with Machine Learning
 
Understanding Fileless (or Non-Malware) Attacks and How to Stop Them
Understanding Fileless (or Non-Malware) Attacks and How to Stop ThemUnderstanding Fileless (or Non-Malware) Attacks and How to Stop Them
Understanding Fileless (or Non-Malware) Attacks and How to Stop Them
 
What is ATT&CK coverage, anyway? Breadth and depth analysis with Atomic Red Team
What is ATT&CK coverage, anyway? Breadth and depth analysis with Atomic Red TeamWhat is ATT&CK coverage, anyway? Breadth and depth analysis with Atomic Red Team
What is ATT&CK coverage, anyway? Breadth and depth analysis with Atomic Red Team
 
Leveraging MITRE ATT&CK - Speaking the Common Language
Leveraging MITRE ATT&CK - Speaking the Common LanguageLeveraging MITRE ATT&CK - Speaking the Common Language
Leveraging MITRE ATT&CK - Speaking the Common Language
 
AdServerの仕組み
AdServerの仕組みAdServerの仕組み
AdServerの仕組み
 
Security Operations, MITRE ATT&CK, SOC Roles / Competencies
Security Operations, MITRE ATT&CK, SOC Roles / Competencies Security Operations, MITRE ATT&CK, SOC Roles / Competencies
Security Operations, MITRE ATT&CK, SOC Roles / Competencies
 
20210127 今日から始めるイベントドリブンアーキテクチャ AWS Expert Online #13
20210127 今日から始めるイベントドリブンアーキテクチャ AWS Expert Online #1320210127 今日から始めるイベントドリブンアーキテクチャ AWS Expert Online #13
20210127 今日から始めるイベントドリブンアーキテクチャ AWS Expert Online #13
 
Tracking Noisy Behavior and Risk-Based Alerting with ATT&CK
Tracking Noisy Behavior and Risk-Based Alerting with ATT&CKTracking Noisy Behavior and Risk-Based Alerting with ATT&CK
Tracking Noisy Behavior and Risk-Based Alerting with ATT&CK
 
Threat Hunting Procedures and Measurement Matrice
Threat Hunting Procedures and Measurement MatriceThreat Hunting Procedures and Measurement Matrice
Threat Hunting Procedures and Measurement Matrice
 
Wannacry | Technical Insight and Lessons Learned
Wannacry | Technical Insight and Lessons LearnedWannacry | Technical Insight and Lessons Learned
Wannacry | Technical Insight and Lessons Learned
 
IDC - Blockchain Threat Model
IDC - Blockchain Threat ModelIDC - Blockchain Threat Model
IDC - Blockchain Threat Model
 
Projects to Impact- Operationalizing Work from the Center
Projects to Impact- Operationalizing Work from the CenterProjects to Impact- Operationalizing Work from the Center
Projects to Impact- Operationalizing Work from the Center
 
Slide pros and cons
Slide pros and consSlide pros and cons
Slide pros and cons
 
Black Belt Online Seminar AWS上の暗号化ソリューション
Black Belt Online Seminar AWS上の暗号化ソリューションBlack Belt Online Seminar AWS上の暗号化ソリューション
Black Belt Online Seminar AWS上の暗号化ソリューション
 
zabbixを使ったクラウド環境の監視とツール連携
zabbixを使ったクラウド環境の監視とツール連携zabbixを使ったクラウド環境の監視とツール連携
zabbixを使ったクラウド環境の監視とツール連携
 

Viewers also liked

Cloud-Enabled: The Future of Endpoint Security
Cloud-Enabled: The Future of Endpoint SecurityCloud-Enabled: The Future of Endpoint Security
Cloud-Enabled: The Future of Endpoint Security
CrowdStrike
 
Be Social. Use CrowdRE.
Be Social. Use CrowdRE.Be Social. Use CrowdRE.
Be Social. Use CrowdRE.
CrowdStrike
 
CrowdCasts Monthly: Mitigating Pass the Hash
CrowdCasts Monthly: Mitigating Pass the HashCrowdCasts Monthly: Mitigating Pass the Hash
CrowdCasts Monthly: Mitigating Pass the Hash
CrowdStrike
 
End-to-End Analysis of a Domain Generating Algorithm Malware Family
End-to-End Analysis of a Domain Generating Algorithm Malware FamilyEnd-to-End Analysis of a Domain Generating Algorithm Malware Family
End-to-End Analysis of a Domain Generating Algorithm Malware Family
CrowdStrike
 
I/O, You Own: Regaining Control of Your Disk in the Presence of Bootkits
I/O, You Own: Regaining Control of Your Disk in the Presence of BootkitsI/O, You Own: Regaining Control of Your Disk in the Presence of Bootkits
I/O, You Own: Regaining Control of Your Disk in the Presence of Bootkits
CrowdStrike
 
CrowdCasts Monthly: When Pandas Attack
CrowdCasts Monthly: When Pandas AttackCrowdCasts Monthly: When Pandas Attack
CrowdCasts Monthly: When Pandas Attack
CrowdStrike
 
Hacking Exposed Live: Mobile Targeted Threats
Hacking Exposed Live: Mobile Targeted ThreatsHacking Exposed Live: Mobile Targeted Threats
Hacking Exposed Live: Mobile Targeted Threats
CrowdStrike
 
Java Journal & Pyresso: A Python-Based Framework for Debugging Java
Java Journal & Pyresso: A Python-Based Framework for Debugging JavaJava Journal & Pyresso: A Python-Based Framework for Debugging Java
Java Journal & Pyresso: A Python-Based Framework for Debugging Java
CrowdStrike
 
Venom
Venom Venom
Venom
CrowdStrike
 
TOR... ALL THE THINGS
TOR... ALL THE THINGSTOR... ALL THE THINGS
TOR... ALL THE THINGS
CrowdStrike
 
CrowdCasts Monthly: Going Beyond the Indicator
CrowdCasts Monthly: Going Beyond the IndicatorCrowdCasts Monthly: Going Beyond the Indicator
CrowdCasts Monthly: Going Beyond the Indicator
CrowdStrike
 
Five Reasons to Look Beyond Math-based Next-Gen Antivirus
Five Reasons to Look Beyond Math-based Next-Gen AntivirusFive Reasons to Look Beyond Math-based Next-Gen Antivirus
Five Reasons to Look Beyond Math-based Next-Gen Antivirus
Sarah Vanier
 
Hacking Exposed LIVE: Attacking in the Shadows
Hacking Exposed LIVE: Attacking in the ShadowsHacking Exposed LIVE: Attacking in the Shadows
Hacking Exposed LIVE: Attacking in the Shadows
Priyanka Aash
 
Illusions vs Reality - BSIDES SF
Illusions vs Reality - BSIDES SFIllusions vs Reality - BSIDES SF
Illusions vs Reality - BSIDES SF
Jason Truppi
 
End-to-End Analysis of a Domain Generating Algorithm Malware Family Whitepaper
End-to-End Analysis of a Domain Generating Algorithm Malware Family WhitepaperEnd-to-End Analysis of a Domain Generating Algorithm Malware Family Whitepaper
End-to-End Analysis of a Domain Generating Algorithm Malware Family Whitepaper
CrowdStrike
 
BSides 2016 Presentation
BSides 2016 PresentationBSides 2016 Presentation
BSides 2016 Presentation
Angelo Rago
 
Hunting gh0st rat using memory forensics
Hunting gh0st rat using memory forensics Hunting gh0st rat using memory forensics
Hunting gh0st rat using memory forensics
Cysinfo Cyber Security Community
 
The Enemy Within: Stopping Advanced Attacks Against Local Users
The Enemy Within: Stopping Advanced Attacks Against Local UsersThe Enemy Within: Stopping Advanced Attacks Against Local Users
The Enemy Within: Stopping Advanced Attacks Against Local Users
Tal Be'ery
 
IDAの脆弱性とBug Bounty by 千田 雅明
IDAの脆弱性とBug Bounty by 千田 雅明IDAの脆弱性とBug Bounty by 千田 雅明
IDAの脆弱性とBug Bounty by 千田 雅明
CODE BLUE
 
Tracking Exploit Kits - Virus Bulletin 2016
Tracking Exploit Kits - Virus Bulletin 2016Tracking Exploit Kits - Virus Bulletin 2016
Tracking Exploit Kits - Virus Bulletin 2016
John Bambenek
 

Viewers also liked (20)

Cloud-Enabled: The Future of Endpoint Security
Cloud-Enabled: The Future of Endpoint SecurityCloud-Enabled: The Future of Endpoint Security
Cloud-Enabled: The Future of Endpoint Security
 
Be Social. Use CrowdRE.
Be Social. Use CrowdRE.Be Social. Use CrowdRE.
Be Social. Use CrowdRE.
 
CrowdCasts Monthly: Mitigating Pass the Hash
CrowdCasts Monthly: Mitigating Pass the HashCrowdCasts Monthly: Mitigating Pass the Hash
CrowdCasts Monthly: Mitigating Pass the Hash
 
End-to-End Analysis of a Domain Generating Algorithm Malware Family
End-to-End Analysis of a Domain Generating Algorithm Malware FamilyEnd-to-End Analysis of a Domain Generating Algorithm Malware Family
End-to-End Analysis of a Domain Generating Algorithm Malware Family
 
I/O, You Own: Regaining Control of Your Disk in the Presence of Bootkits
I/O, You Own: Regaining Control of Your Disk in the Presence of BootkitsI/O, You Own: Regaining Control of Your Disk in the Presence of Bootkits
I/O, You Own: Regaining Control of Your Disk in the Presence of Bootkits
 
CrowdCasts Monthly: When Pandas Attack
CrowdCasts Monthly: When Pandas AttackCrowdCasts Monthly: When Pandas Attack
CrowdCasts Monthly: When Pandas Attack
 
Hacking Exposed Live: Mobile Targeted Threats
Hacking Exposed Live: Mobile Targeted ThreatsHacking Exposed Live: Mobile Targeted Threats
Hacking Exposed Live: Mobile Targeted Threats
 
Java Journal & Pyresso: A Python-Based Framework for Debugging Java
Java Journal & Pyresso: A Python-Based Framework for Debugging JavaJava Journal & Pyresso: A Python-Based Framework for Debugging Java
Java Journal & Pyresso: A Python-Based Framework for Debugging Java
 
Venom
Venom Venom
Venom
 
TOR... ALL THE THINGS
TOR... ALL THE THINGSTOR... ALL THE THINGS
TOR... ALL THE THINGS
 
CrowdCasts Monthly: Going Beyond the Indicator
CrowdCasts Monthly: Going Beyond the IndicatorCrowdCasts Monthly: Going Beyond the Indicator
CrowdCasts Monthly: Going Beyond the Indicator
 
Five Reasons to Look Beyond Math-based Next-Gen Antivirus
Five Reasons to Look Beyond Math-based Next-Gen AntivirusFive Reasons to Look Beyond Math-based Next-Gen Antivirus
Five Reasons to Look Beyond Math-based Next-Gen Antivirus
 
Hacking Exposed LIVE: Attacking in the Shadows
Hacking Exposed LIVE: Attacking in the ShadowsHacking Exposed LIVE: Attacking in the Shadows
Hacking Exposed LIVE: Attacking in the Shadows
 
Illusions vs Reality - BSIDES SF
Illusions vs Reality - BSIDES SFIllusions vs Reality - BSIDES SF
Illusions vs Reality - BSIDES SF
 
End-to-End Analysis of a Domain Generating Algorithm Malware Family Whitepaper
End-to-End Analysis of a Domain Generating Algorithm Malware Family WhitepaperEnd-to-End Analysis of a Domain Generating Algorithm Malware Family Whitepaper
End-to-End Analysis of a Domain Generating Algorithm Malware Family Whitepaper
 
BSides 2016 Presentation
BSides 2016 PresentationBSides 2016 Presentation
BSides 2016 Presentation
 
Hunting gh0st rat using memory forensics
Hunting gh0st rat using memory forensics Hunting gh0st rat using memory forensics
Hunting gh0st rat using memory forensics
 
The Enemy Within: Stopping Advanced Attacks Against Local Users
The Enemy Within: Stopping Advanced Attacks Against Local UsersThe Enemy Within: Stopping Advanced Attacks Against Local Users
The Enemy Within: Stopping Advanced Attacks Against Local Users
 
IDAの脆弱性とBug Bounty by 千田 雅明
IDAの脆弱性とBug Bounty by 千田 雅明IDAの脆弱性とBug Bounty by 千田 雅明
IDAの脆弱性とBug Bounty by 千田 雅明
 
Tracking Exploit Kits - Virus Bulletin 2016
Tracking Exploit Kits - Virus Bulletin 2016Tracking Exploit Kits - Virus Bulletin 2016
Tracking Exploit Kits - Virus Bulletin 2016
 

Similar to Bear Hunting: History and Attribution of Russian Intelligence Operations

https://uii.io/Oneconflict
https://uii.io/Oneconflicthttps://uii.io/Oneconflict
https://uii.io/Oneconflict
Lucas395677
 
The 1B Data Leak, TrickBot Gang Shift and Cyber Espionage - F5 SIRT This Week...
The 1B Data Leak, TrickBot Gang Shift and Cyber Espionage - F5 SIRT This Week...The 1B Data Leak, TrickBot Gang Shift and Cyber Espionage - F5 SIRT This Week...
The 1B Data Leak, TrickBot Gang Shift and Cyber Espionage - F5 SIRT This Week...
Lior Rotkovitch
 
Backdoor Dreaming
Backdoor DreamingBackdoor Dreaming
Backdoor Dreaming
Carola Frediani
 
ISIS Cyber Terrorism Analysis
ISIS Cyber Terrorism AnalysisISIS Cyber Terrorism Analysis
Державна кібербезпека vs Кібербезпека держави. Уроки #FRD
Державна кібербезпека vs Кібербезпека держави. Уроки #FRDДержавна кібербезпека vs Кібербезпека держави. Уроки #FRD
Державна кібербезпека vs Кібербезпека держави. Уроки #FRD
KostiantynKorsun
 
New Hacktivism Model Trends Worldwide
New Hacktivism Model Trends WorldwideNew Hacktivism Model Trends Worldwide
Exp r35
Exp r35Exp r35
KASPERSKY SECURITY BULLETIN 2013
KASPERSKY SECURITY BULLETIN 2013KASPERSKY SECURITY BULLETIN 2013
KASPERSKY SECURITY BULLETIN 2013
Kappa Data
 
On How the Darknet and its Access to SCADA is a Threat to National Critical I...
On How the Darknet and its Access to SCADA is a Threat to National Critical I...On How the Darknet and its Access to SCADA is a Threat to National Critical I...
On How the Darknet and its Access to SCADA is a Threat to National Critical I...
Matthew Kurnava
 
A US Cybersecurity Strategy for 2030
A US Cybersecurity Strategy for 2030A US Cybersecurity Strategy for 2030
A US Cybersecurity Strategy for 2030
Scott Dickson
 
Privacy in the Information Age
Privacy in the Information AgePrivacy in the Information Age
Privacy in the Information Age
Jordan Peacock
 
Privacy in the Information Age [Q3 2015 version]
Privacy in the Information Age [Q3 2015 version]Privacy in the Information Age [Q3 2015 version]
Privacy in the Information Age [Q3 2015 version]
Jordan Peacock
 
Paris Attacks
Paris AttacksParis Attacks
Paris Attacks
Patty Buckley
 
IBM X-Force Threat Intelligence
IBM X-Force Threat Intelligence IBM X-Force Threat Intelligence
IBM X-Force Threat Intelligence
Rod Delwar
 
AECF: A Look into Cyber Crime - Doomsday Preppers for the Naked and Afraid
AECF: A Look into Cyber Crime - Doomsday Preppers for the Naked and AfraidAECF: A Look into Cyber Crime - Doomsday Preppers for the Naked and Afraid
AECF: A Look into Cyber Crime - Doomsday Preppers for the Naked and Afraid
Phil Agcaoili
 
Cloudcamp Chicago Nov 2104 Fintech - Dwight Koop "East / West Chalkboard Talk"
Cloudcamp Chicago Nov 2104 Fintech - Dwight Koop "East / West Chalkboard Talk"Cloudcamp Chicago Nov 2104 Fintech - Dwight Koop "East / West Chalkboard Talk"
Cloudcamp Chicago Nov 2104 Fintech - Dwight Koop "East / West Chalkboard Talk"
CloudCamp Chicago
 
Viktor Zhora - Cyber and Geopolitics: Ukrainian factor
Viktor Zhora - Cyber and Geopolitics: Ukrainian factorViktor Zhora - Cyber and Geopolitics: Ukrainian factor
Viktor Zhora - Cyber and Geopolitics: Ukrainian factor
OWASP Kyiv
 
Tor talk-prosa-screen
Tor talk-prosa-screenTor talk-prosa-screen
Tor talk-prosa-screen
Henrik Kramshøj
 
Kostiantyn Korsun - State Cybersecurity vs. Cybersecurity of the State. #FRD ...
Kostiantyn Korsun - State Cybersecurity vs. Cybersecurity of the State. #FRD ...Kostiantyn Korsun - State Cybersecurity vs. Cybersecurity of the State. #FRD ...
Kostiantyn Korsun - State Cybersecurity vs. Cybersecurity of the State. #FRD ...
NoNameCon
 
Instructions please write a 5 page paper answering the question con
Instructions please write a 5 page paper answering the question conInstructions please write a 5 page paper answering the question con
Instructions please write a 5 page paper answering the question con
simba35
 

Similar to Bear Hunting: History and Attribution of Russian Intelligence Operations (20)

https://uii.io/Oneconflict
https://uii.io/Oneconflicthttps://uii.io/Oneconflict
https://uii.io/Oneconflict
 
The 1B Data Leak, TrickBot Gang Shift and Cyber Espionage - F5 SIRT This Week...
The 1B Data Leak, TrickBot Gang Shift and Cyber Espionage - F5 SIRT This Week...The 1B Data Leak, TrickBot Gang Shift and Cyber Espionage - F5 SIRT This Week...
The 1B Data Leak, TrickBot Gang Shift and Cyber Espionage - F5 SIRT This Week...
 
Backdoor Dreaming
Backdoor DreamingBackdoor Dreaming
Backdoor Dreaming
 
ISIS Cyber Terrorism Analysis
ISIS Cyber Terrorism AnalysisISIS Cyber Terrorism Analysis
ISIS Cyber Terrorism Analysis
 
Державна кібербезпека vs Кібербезпека держави. Уроки #FRD
Державна кібербезпека vs Кібербезпека держави. Уроки #FRDДержавна кібербезпека vs Кібербезпека держави. Уроки #FRD
Державна кібербезпека vs Кібербезпека держави. Уроки #FRD
 
New Hacktivism Model Trends Worldwide
New Hacktivism Model Trends WorldwideNew Hacktivism Model Trends Worldwide
New Hacktivism Model Trends Worldwide
 
Exp r35
Exp r35Exp r35
Exp r35
 
KASPERSKY SECURITY BULLETIN 2013
KASPERSKY SECURITY BULLETIN 2013KASPERSKY SECURITY BULLETIN 2013
KASPERSKY SECURITY BULLETIN 2013
 
On How the Darknet and its Access to SCADA is a Threat to National Critical I...
On How the Darknet and its Access to SCADA is a Threat to National Critical I...On How the Darknet and its Access to SCADA is a Threat to National Critical I...
On How the Darknet and its Access to SCADA is a Threat to National Critical I...
 
A US Cybersecurity Strategy for 2030
A US Cybersecurity Strategy for 2030A US Cybersecurity Strategy for 2030
A US Cybersecurity Strategy for 2030
 
Privacy in the Information Age
Privacy in the Information AgePrivacy in the Information Age
Privacy in the Information Age
 
Privacy in the Information Age [Q3 2015 version]
Privacy in the Information Age [Q3 2015 version]Privacy in the Information Age [Q3 2015 version]
Privacy in the Information Age [Q3 2015 version]
 
Paris Attacks
Paris AttacksParis Attacks
Paris Attacks
 
IBM X-Force Threat Intelligence
IBM X-Force Threat Intelligence IBM X-Force Threat Intelligence
IBM X-Force Threat Intelligence
 
AECF: A Look into Cyber Crime - Doomsday Preppers for the Naked and Afraid
AECF: A Look into Cyber Crime - Doomsday Preppers for the Naked and AfraidAECF: A Look into Cyber Crime - Doomsday Preppers for the Naked and Afraid
AECF: A Look into Cyber Crime - Doomsday Preppers for the Naked and Afraid
 
Cloudcamp Chicago Nov 2104 Fintech - Dwight Koop "East / West Chalkboard Talk"
Cloudcamp Chicago Nov 2104 Fintech - Dwight Koop "East / West Chalkboard Talk"Cloudcamp Chicago Nov 2104 Fintech - Dwight Koop "East / West Chalkboard Talk"
Cloudcamp Chicago Nov 2104 Fintech - Dwight Koop "East / West Chalkboard Talk"
 
Viktor Zhora - Cyber and Geopolitics: Ukrainian factor
Viktor Zhora - Cyber and Geopolitics: Ukrainian factorViktor Zhora - Cyber and Geopolitics: Ukrainian factor
Viktor Zhora - Cyber and Geopolitics: Ukrainian factor
 
Tor talk-prosa-screen
Tor talk-prosa-screenTor talk-prosa-screen
Tor talk-prosa-screen
 
Kostiantyn Korsun - State Cybersecurity vs. Cybersecurity of the State. #FRD ...
Kostiantyn Korsun - State Cybersecurity vs. Cybersecurity of the State. #FRD ...Kostiantyn Korsun - State Cybersecurity vs. Cybersecurity of the State. #FRD ...
Kostiantyn Korsun - State Cybersecurity vs. Cybersecurity of the State. #FRD ...
 
Instructions please write a 5 page paper answering the question con
Instructions please write a 5 page paper answering the question conInstructions please write a 5 page paper answering the question con
Instructions please write a 5 page paper answering the question con
 

Recently uploaded

Introduction to CHERI technology - Cybersecurity
Introduction to CHERI technology - CybersecurityIntroduction to CHERI technology - Cybersecurity
Introduction to CHERI technology - Cybersecurity
mikeeftimakis1
 
Cosa hanno in comune un mattoncino Lego e la backdoor XZ?
Cosa hanno in comune un mattoncino Lego e la backdoor XZ?Cosa hanno in comune un mattoncino Lego e la backdoor XZ?
Cosa hanno in comune un mattoncino Lego e la backdoor XZ?
Speck&Tech
 
PCI PIN Basics Webinar from the Controlcase Team
PCI PIN Basics Webinar from the Controlcase TeamPCI PIN Basics Webinar from the Controlcase Team
PCI PIN Basics Webinar from the Controlcase Team
ControlCase
 
GraphSummit Singapore | The Future of Agility: Supercharging Digital Transfor...
GraphSummit Singapore | The Future of Agility: Supercharging Digital Transfor...GraphSummit Singapore | The Future of Agility: Supercharging Digital Transfor...
GraphSummit Singapore | The Future of Agility: Supercharging Digital Transfor...
Neo4j
 
“I’m still / I’m still / Chaining from the Block”
“I’m still / I’m still / Chaining from the Block”“I’m still / I’m still / Chaining from the Block”
“I’m still / I’m still / Chaining from the Block”
Claudio Di Ciccio
 
Full-RAG: A modern architecture for hyper-personalization
Full-RAG: A modern architecture for hyper-personalizationFull-RAG: A modern architecture for hyper-personalization
Full-RAG: A modern architecture for hyper-personalization
Zilliz
 
GraphSummit Singapore | The Art of the Possible with Graph - Q2 2024
GraphSummit Singapore | The Art of the  Possible with Graph - Q2 2024GraphSummit Singapore | The Art of the  Possible with Graph - Q2 2024
GraphSummit Singapore | The Art of the Possible with Graph - Q2 2024
Neo4j
 
Data structures and Algorithms in Python.pdf
Data structures and Algorithms in Python.pdfData structures and Algorithms in Python.pdf
Data structures and Algorithms in Python.pdf
TIPNGVN2
 
Securing your Kubernetes cluster_ a step-by-step guide to success !
Securing your Kubernetes cluster_ a step-by-step guide to success !Securing your Kubernetes cluster_ a step-by-step guide to success !
Securing your Kubernetes cluster_ a step-by-step guide to success !
KatiaHIMEUR1
 
“Building and Scaling AI Applications with the Nx AI Manager,” a Presentation...
“Building and Scaling AI Applications with the Nx AI Manager,” a Presentation...“Building and Scaling AI Applications with the Nx AI Manager,” a Presentation...
“Building and Scaling AI Applications with the Nx AI Manager,” a Presentation...
Edge AI and Vision Alliance
 
GraphSummit Singapore | Enhancing Changi Airport Group's Passenger Experience...
GraphSummit Singapore | Enhancing Changi Airport Group's Passenger Experience...GraphSummit Singapore | Enhancing Changi Airport Group's Passenger Experience...
GraphSummit Singapore | Enhancing Changi Airport Group's Passenger Experience...
Neo4j
 
Microsoft - Power Platform_G.Aspiotis.pdf
Microsoft - Power Platform_G.Aspiotis.pdfMicrosoft - Power Platform_G.Aspiotis.pdf
Microsoft - Power Platform_G.Aspiotis.pdf
Uni Systems S.M.S.A.
 
A tale of scale & speed: How the US Navy is enabling software delivery from l...
A tale of scale & speed: How the US Navy is enabling software delivery from l...A tale of scale & speed: How the US Navy is enabling software delivery from l...
A tale of scale & speed: How the US Navy is enabling software delivery from l...
sonjaschweigert1
 
GraphSummit Singapore | Graphing Success: Revolutionising Organisational Stru...
GraphSummit Singapore | Graphing Success: Revolutionising Organisational Stru...GraphSummit Singapore | Graphing Success: Revolutionising Organisational Stru...
GraphSummit Singapore | Graphing Success: Revolutionising Organisational Stru...
Neo4j
 
Video Streaming: Then, Now, and in the Future
Video Streaming: Then, Now, and in the FutureVideo Streaming: Then, Now, and in the Future
Video Streaming: Then, Now, and in the Future
Alpen-Adria-Universität
 
Communications Mining Series - Zero to Hero - Session 1
Communications Mining Series - Zero to Hero - Session 1Communications Mining Series - Zero to Hero - Session 1
Communications Mining Series - Zero to Hero - Session 1
DianaGray10
 
Generative AI Deep Dive: Advancing from Proof of Concept to Production
Generative AI Deep Dive: Advancing from Proof of Concept to ProductionGenerative AI Deep Dive: Advancing from Proof of Concept to Production
Generative AI Deep Dive: Advancing from Proof of Concept to Production
Aggregage
 
Removing Uninteresting Bytes in Software Fuzzing
Removing Uninteresting Bytes in Software FuzzingRemoving Uninteresting Bytes in Software Fuzzing
Removing Uninteresting Bytes in Software Fuzzing
Aftab Hussain
 
TrustArc Webinar - 2024 Global Privacy Survey
TrustArc Webinar - 2024 Global Privacy SurveyTrustArc Webinar - 2024 Global Privacy Survey
TrustArc Webinar - 2024 Global Privacy Survey
TrustArc
 
UiPath Test Automation using UiPath Test Suite series, part 5
UiPath Test Automation using UiPath Test Suite series, part 5UiPath Test Automation using UiPath Test Suite series, part 5
UiPath Test Automation using UiPath Test Suite series, part 5
DianaGray10
 

Recently uploaded (20)

Introduction to CHERI technology - Cybersecurity
Introduction to CHERI technology - CybersecurityIntroduction to CHERI technology - Cybersecurity
Introduction to CHERI technology - Cybersecurity
 
Cosa hanno in comune un mattoncino Lego e la backdoor XZ?
Cosa hanno in comune un mattoncino Lego e la backdoor XZ?Cosa hanno in comune un mattoncino Lego e la backdoor XZ?
Cosa hanno in comune un mattoncino Lego e la backdoor XZ?
 
PCI PIN Basics Webinar from the Controlcase Team
PCI PIN Basics Webinar from the Controlcase TeamPCI PIN Basics Webinar from the Controlcase Team
PCI PIN Basics Webinar from the Controlcase Team
 
GraphSummit Singapore | The Future of Agility: Supercharging Digital Transfor...
GraphSummit Singapore | The Future of Agility: Supercharging Digital Transfor...GraphSummit Singapore | The Future of Agility: Supercharging Digital Transfor...
GraphSummit Singapore | The Future of Agility: Supercharging Digital Transfor...
 
“I’m still / I’m still / Chaining from the Block”
“I’m still / I’m still / Chaining from the Block”“I’m still / I’m still / Chaining from the Block”
“I’m still / I’m still / Chaining from the Block”
 
Full-RAG: A modern architecture for hyper-personalization
Full-RAG: A modern architecture for hyper-personalizationFull-RAG: A modern architecture for hyper-personalization
Full-RAG: A modern architecture for hyper-personalization
 
GraphSummit Singapore | The Art of the Possible with Graph - Q2 2024
GraphSummit Singapore | The Art of the  Possible with Graph - Q2 2024GraphSummit Singapore | The Art of the  Possible with Graph - Q2 2024
GraphSummit Singapore | The Art of the Possible with Graph - Q2 2024
 
Data structures and Algorithms in Python.pdf
Data structures and Algorithms in Python.pdfData structures and Algorithms in Python.pdf
Data structures and Algorithms in Python.pdf
 
Securing your Kubernetes cluster_ a step-by-step guide to success !
Securing your Kubernetes cluster_ a step-by-step guide to success !Securing your Kubernetes cluster_ a step-by-step guide to success !
Securing your Kubernetes cluster_ a step-by-step guide to success !
 
“Building and Scaling AI Applications with the Nx AI Manager,” a Presentation...
“Building and Scaling AI Applications with the Nx AI Manager,” a Presentation...“Building and Scaling AI Applications with the Nx AI Manager,” a Presentation...
“Building and Scaling AI Applications with the Nx AI Manager,” a Presentation...
 
GraphSummit Singapore | Enhancing Changi Airport Group's Passenger Experience...
GraphSummit Singapore | Enhancing Changi Airport Group's Passenger Experience...GraphSummit Singapore | Enhancing Changi Airport Group's Passenger Experience...
GraphSummit Singapore | Enhancing Changi Airport Group's Passenger Experience...
 
Microsoft - Power Platform_G.Aspiotis.pdf
Microsoft - Power Platform_G.Aspiotis.pdfMicrosoft - Power Platform_G.Aspiotis.pdf
Microsoft - Power Platform_G.Aspiotis.pdf
 
A tale of scale & speed: How the US Navy is enabling software delivery from l...
A tale of scale & speed: How the US Navy is enabling software delivery from l...A tale of scale & speed: How the US Navy is enabling software delivery from l...
A tale of scale & speed: How the US Navy is enabling software delivery from l...
 
GraphSummit Singapore | Graphing Success: Revolutionising Organisational Stru...
GraphSummit Singapore | Graphing Success: Revolutionising Organisational Stru...GraphSummit Singapore | Graphing Success: Revolutionising Organisational Stru...
GraphSummit Singapore | Graphing Success: Revolutionising Organisational Stru...
 
Video Streaming: Then, Now, and in the Future
Video Streaming: Then, Now, and in the FutureVideo Streaming: Then, Now, and in the Future
Video Streaming: Then, Now, and in the Future
 
Communications Mining Series - Zero to Hero - Session 1
Communications Mining Series - Zero to Hero - Session 1Communications Mining Series - Zero to Hero - Session 1
Communications Mining Series - Zero to Hero - Session 1
 
Generative AI Deep Dive: Advancing from Proof of Concept to Production
Generative AI Deep Dive: Advancing from Proof of Concept to ProductionGenerative AI Deep Dive: Advancing from Proof of Concept to Production
Generative AI Deep Dive: Advancing from Proof of Concept to Production
 
Removing Uninteresting Bytes in Software Fuzzing
Removing Uninteresting Bytes in Software FuzzingRemoving Uninteresting Bytes in Software Fuzzing
Removing Uninteresting Bytes in Software Fuzzing
 
TrustArc Webinar - 2024 Global Privacy Survey
TrustArc Webinar - 2024 Global Privacy SurveyTrustArc Webinar - 2024 Global Privacy Survey
TrustArc Webinar - 2024 Global Privacy Survey
 
UiPath Test Automation using UiPath Test Suite series, part 5
UiPath Test Automation using UiPath Test Suite series, part 5UiPath Test Automation using UiPath Test Suite series, part 5
UiPath Test Automation using UiPath Test Suite series, part 5
 

Bear Hunting: History and Attribution of Russian Intelligence Operations

  • 1. 2017 CROWDSTRIKE, INC. ALL RIGHTS RESERVED. BEAR HUNTING: HISTORY AND ATTRIBUTION OF RUSSIAN INTELLIGENCE OPERATIONS DMITRI ALPEROVITCH, CTO ADAM MEYERS, VP INTEL
  • 2. DMITRI ALPEROVITCH § Co-Founder & CTO, CrowdStrike § Former VP Threat Research, McAfee § Author of Operation Aurora, Night Dragon, Shady RAT reports § MIT Tech Review’s Top 35 Innovator Under 35 for 2013 § Foreign Policy’s Top 100 Leading Global Thinkers for 2013 § Politico’s Top 50 in 2016 A LITTLE ABOUT ME:
  • 3. ADAM MEYERS § VP of Intelligence, CrowdStrike § +15 years security experience § Extensive experience building and leading intelligence practices in both the public and private sector § Sought-after thought leader: conducts speaking engagements & training classes on threat intelligence, reverse engineering, and data breach investigations A LITTLE ABOUT ME:
  • 4. Cloud Delivered Endpoint Protection MANAGED HUNTING ENDPOINT DETECTION AND RESPONSE NEXT-GEN ANTIVIRUS CrowdStrike is the only security technology provider to unify next-gen AV and EDR into a single agent, backed by 24/7 proactive threat hunting – all delivered in via the cloud 2017 CROWDSTRIKE, INC. ALL RIGHTS RESERVED.
  • 5. DEMOCRATIC NATIONAL COMMITTEEQuick refresher on why everyone now cares about Russian intrusion operations 2017 CROWDSTRIKE, INC. ALL RIGHTS RESERVED. ORDER OF EVENTS: § DNC hires CrowdStrike for Compromise Assessment of their corporate network at the end of April 2016 § CrowdStrike deployed Falcon Host endpoint technology in early May 2016 and immediately identified evidence of intrusions by two separate actors - COZY BEAR and FANCY BEAR. § Forensic analysis uncovered evidence of compromise by FANCY BEAR in mid April 2016 and COZY BEAR in the summer of 2015 § Remediation efforts to remove adversary from DNC corporate network was conducted in early July 2016.
  • 6. 2017 CROWDSTRIKE, INC. ALL RIGHTS RESERVED. "You know, comrades, that I think in regard to this: I consider it completely unimportant who in the party will vote, or how;but what is extraordinarily important is this — who will count the votes, and how." Joseph Stalin, 1923 Source: The Memoirs of Stalin's Former Secretary (1992)
  • 7. THE BEGINNING: ОХРАНКА 2017 CROWDSTRIKE, INC. ALL RIGHTS RESERVED. 1860s: Political Terror in Russia 1900s: 1917: Formation of Cheka (NKVD, MGB, KGB, FSB) FSB 1st Main Department (Foreign Intelligence), Service “A”: Active Measures (Дезинформация) 1918: Formation of GRU
  • 8. RECENT HISTORY: КОМПРОМАТ 2017 CROWDSTRIKE, INC. ALL RIGHTS RESERVED. 1999: ’Man, who looks like Attorney General’ 2014: Colonel Ilyushin of GRU caught collecting personal kompromat on President Hollande 2010: Sex Tapes with Katya 2016: Lisa Affair 2014: March: CyberBerkut launch (prior to Crimea)
  • 9. Feb 2014: Klichko party email leaks MANIPULATING ELECTIONS 2017 CROWDSTRIKE, INC. ALL RIGHTS RESERVED. May 2014: Presidential Election in Ukraine Destructive Attack against Ukranian Election Commission CyberBerkut DDoSes Ukranian Election Website Russian TV shows doctored election results CyberBerkut DDoSes Ukranian Election Website October 2014: Parliamentary Election in Ukraine CyberBerkut Hacks Election Billboards in Kiev
  • 10. 2017 CROWDSTRIKE, INC. ALL RIGHTS RESERVED. • Intelligence powers everything we do • All Source methodology • Adversary profiling and campaign tracking • Human analysis coupled with platform automation • Intelligence consumable by human decision makers and enterprise systems CrowdStrike Intelligence
  • 12. RUSSIAN INTELLIGENCE SERVICES Sergey Shoygu Minister of Defense Lieutenant General Igor Korobov Director of GRU Sergey Naryshkin Director SVR Alexander Bortnikov Director FSB 2017 CROWDSTRIKE, INC. ALL RIGHTS RESERVED.
  • 13. RUSSIAN INTERESTS - TODAY § Political Dissidents/Trouble Makers § Terrorists § Spies § The Near Abroad/CIS § NATO/Europe § Elections § Energy/Trade § China § Ukraine § Syria § Turkey § Sports/Doping/World Cup 2017 CROWDSTRIKE, INC. ALL RIGHTS RESERVED.
  • 14. CAPABILITIES AND INTENTIONS Understanding the adversary § OSS created Research and Analysis Branch in 1942, OSINT on adversary news and publications provides invaluable intel § General Valery Gerasimov published: “The Value of Science Is in the Foresight: New Challenges Demand Rethinking the Forms and Methods of Carrying out Combat Operations” § Hybrid War for Regime Change § Step 1: Cause dissent (media, cyber, activists, little green men) § Step 2: Sanctions due to instability or oppressive actions § Step 3: Military force sent in to restore order § Step 4: New leadership/regime 2017 CROWDSTRIKE, INC. ALL RIGHTS RESERVED.
  • 15. Obtain better outcomes using the interwebs CYBER GERASIMOV § Leverage/Incite dissident hackers in the target country § If none exist – Make one up ¯_(ツ)_/¯ § DDoS attacks to disrupt infrastructure and cause panic/confusion § Hack media and plant fake articles § DOX political targets § Use army of trolls to build base § Create confusion/fear/panic 2017 CROWDSTRIKE, INC. ALL RIGHTS RESERVED.
  • 16. 2017 CROWDSTRIKE, INC. ALL RIGHTS RESERVED.
  • 17. § November 24 2015 – Turkish F-16 shoots down Russian SU-24 operating in Syria AO § November 27 2015 – First DDoS attacks against Turkish targets detected § December 18 2015 – FSB raids Turkish banks on suspicion of money laundering, at the same time DDoS observed against Turkish Banks § January 2016 DDOS against Ministry of Transportation, the Russian Postal System, the Federal Security Service (FSB), and the Central Bank of Russia. ATTACKS AGAINST TURKEY Following the downing of SU-24 FENCER 2017 CROWDSTRIKE, INC. ALL RIGHTS RESERVED.
  • 18. § March 2016 – BERSERK BEAR targeting of European Energy Company aligns with downing of SU-24 Fencer § April 2016 - The Turkish Central Population Management System, MERNIS experiences data leak of 50 million records § May 2016 - multiple hospitals in Turkey’s Diyarbakir province were affected by a cyber attack with questionable attribution claims § July 2016- BERSERK BEAR targeted a website belonging to a non-governmental organization (NGO) within Turkey. The targeted NGO is focused on the development of commerce between Turkish and European Union (EU) interests § July 2016 – Attempted Coup against Turkish President Recep Tayyip Erdoğan ATTACKS AGAINST TURKEY Following the downing of SU-24 FENCER 2017 CROWDSTRIKE, INC. ALL RIGHTS RESERVED.
  • 19. FANCY BEAR § Targeting: Geopolitical Targets of Interest to Russia, Military/Defense Technologies, Media § Tactics/Techniques/Procedures: Multiple 0-day such as CVE-2015-7645, Custom cross platform implants/Downloaders Xagent/Downrage/etc, Phishing using domains similar to target mail server, Spear Phishing § Also Known As: APT28, Sofacy, Tsar Team, Sednit 2017 CROWDSTRIKE, INC. ALL RIGHTS RESERVED.
  • 20. DANGER CLOSE The case of Ukraine Artillery § During routine hunting conducted by CrowdStrike researchers, Попр-Д30.apk was identified containing X-Agent remote access capabilities § Analysis reveals The filename Попр- Д30.apk is mentioned on a Ukrainian file-sharing forum in December 2014 § The benign Попр-Д30 application assists with ballistic computations in support of the D-30 122mm Howitzer § The D-30 used by Ukrainian government forces during the same time frame the app was in circulation. 2017 CROWDSTRIKE, INC. ALL RIGHTS RESERVED.
  • 21. X-AGENT ANDROID Analysis of capabilities § The app requires an activation step that is authorized by a Ukrainian individual and requires interacting with the individual via a separate communication channel § The registration with a Ukrainian individual indicates the app is most likely intended to be used by Ukrainian forces only. § Permissions Requested: § READ_CONTACTS § READ_SMS § GET_ACCOUNTS § INTERNET § ACCESS_NETWORK_STATE § ACCESS_WIFI_STATE § READ_PHONE_STATE § CHANGE_NETWORK_STATE § ACCESS_COARSE_LOCATION § WAKE_LOCK § READ_CALL_LOG 2017 CROWDSTRIKE, INC. ALL RIGHTS RESERVED.
  • 22. X-AGENT ANDROIDAnalysis of capabilities 2017 CROWDSTRIKE, INC. ALL RIGHTS RESERVED. Command Description 100 Retrieve SMS history and details 101 Reconnaissance of device 102 Retrieve call history details 104 Retrieve contact details 106 Retrieve installed app details 107 Retrieve Wifi Details 109 Retrieve browser history and bookmarks 110 Retrieve data usage details 111 List Files/Folders on Storage 112 Exfiltrate specified File
  • 23. SIDE BY SIDE § Left is unmodified Попр-Д30.apk as deployed by author § Right is Попр-Д30.apk containing additional classes with X-Agent Implant 2017 CROWDSTRIKE, INC. ALL RIGHTS RESERVED.
  • 24. CRYPTOGRAPHIC OVERLAP § RC4 key used by X-agent is 50 bytes, Linux X-Agent identified with 46 identical bytes § RC4 Key from X-agent Попр-Д30.apk Android Implant: 3B C6 73 0F 8B 07 85 C0 74 02 FF CC DE C7 04 3B FE 72 F1 5F 5E C3 8B FF 56 B8 D8 78 75 07 50 E8 B1 D1 FA FE 59 5D C3 8B FF 55 8B EC 83 EC 10 A1 33 35 § RC4 Key from X-agent Linux Implant: 3B C6 73 0F 8B 07 85 C0 74 02 FF D0 83 C7 04 3B FE 72 F1 5F 5E C3 8B FF 56 B8 D8 78 75 07 50 E8 B1 D1 FF FF 59 5D C3 8B FF 55 8B EC 83 EC 10 A1 33 35 2017 CROWDSTRIKE, INC. ALL RIGHTS RESERVED.
  • 25. SIDE BY SIDE C2 PROTOCOL ARTIFACTS § Command and Control protocol across X-Agent is consistent § Left C2 Artifacts from a Windows X- Agent implant § Right C2 Artifacts from Попр-Д30.apk Android Implant 2017 CROWDSTRIKE, INC. ALL RIGHTS RESERVED.
  • 26. CONNECTING THE DOTS 2017 CROWDSTRIKE, INC. ALL RIGHTS RESERVED. C2 Server 69.90.132.215 previously tied to domain associated with Fancy Bear DownRage
  • 27. TIMELINE § 20 February 2013 to 13 April 2013 tool marks indicate the development of the legitimate version of Попр-Д30.apk § November 2013 Euromaidan § February 2014 President Yanukovych flees Ukraine § March 2014 Annexation of Crimea § Spring 2014 Pro-Russian separatists in the eastern Ukraine declare independence § Summer of 2014 Ukrainian forces begin initiative to retake territory claimed by separatists § MH17 Downed § February 2015 Cease fire signed which will be routinely violated 2017 CROWDSTRIKE, INC. ALL RIGHTS RESERVED.
  • 28. FREQUENTLY ASKED QUESTIONS § Is the X-Agent source code In The Wild? § We have not identified any public sources of the X-agent code § How could the source code be obtained? § For linux variants of X-agent the source is typically deployed to the target system to build the kernel drivres required, forensic investigation may permit the recovery § Did the malicious APK use GPS? § No, in the report we reference Gross Positional Data which is uses cellular (Coarse) position § Did the malicious APK bypass the activation by the developer? § No, regardless of whether the APK was the original or modified the author would still provide access codes without knowing if the application was tampered with § What evidence is there that the malicious APK was used by Ukrainian military? § The APK was available on Ukrainian file sharing forums § Were D-30 122mm howitzers destroyed as a result of the APK? § We do not know, based on publicly available data there is evidence suggesting a disproportionate loss of D-30 by Ukrainian forces 2017 CROWDSTRIKE, INC. ALL RIGHTS RESERVED.
  • 29. Upcoming CrowdCast: Thursday, January 12 Cloud-Enabled: The Future of Endpoint Security Contact Us Email: crowdcasts@crowdstrike.com Twitter: @CrowdStrike