The document summarizes a presentation on cyber attacks in Ukraine given by Marina Krotofil of Honeywell Industrial Cyber Security Lab and Oleksii Yasynskyi of ISSP group. It discusses a 2016 power failure in Ukraine caused by a hack, the speakers' ongoing collaboration with Ukraine on critical infrastructure protection, and ISSP's research on malware analysis. The presentation focuses on how attacks establish a foothold in networks and evade detection through techniques like code obfuscation and permutations. It emphasizes the need for holistic monitoring across security tools and reconstructing attack timelines to improve defenses.

1. SECURITY ANALYSIS OF CYBER
ATTACKS IN
UKRAINE
Marina Krotofil
Lead Security Researcher
Honeywell Industrial Cyber Security Lab
S4x17
Miami, Dec 10 2017
Oleksii Yasynskyi
Principal Researcher & Head of ISSP Labs
ISSP group

2. Recap: Dec 2016 Power failure in Ukraine
https://www.youtube.com/watch?v=AUoiKZBqIo0
Electrical transmission-level substation Pivnichna
(330kV) suddenly cut off from main power grid
Dec 17th 2016, at 23:53 (11:53 pm)

3. My Collaboration with Ukraine- How it Began
Feb 24-26, 2016
Invited to Ukraine by ISACA Kyiv Chapter
− Delivered 4 talks on ICS & Smart Cities security
Conference on Critical Infrastructure Protection
− Government
− Enterprises, financial sector, utilities
− Researchers
Ongoing collaboration in several areas
− Security governance and policies
− Education and international collaboration
− Research exchange
Alexey Yankovski
President
ISACA Kyiv Chapter

4. About ISSP
 ISSP – Information Systems Security Partners
− A group of companies, specialized in cybersecurity, data management solutions,
managed security services, professional training and security research
 Research Center & ISSP Lab
− Specialization on malware analysis and advanced computer forensics. Provides
research facilities for cybersecurity students and scientists, est. 2015
 Cyber Academy
− Educational institution whose aim is to enhance quality of
cybersecurity and data science in academia, est. 2016

5. In this talk…
 We are not sharing the details about the power grid hack yet
− But we focus on steps leading to these kind of consequences, which
are well studied and understood
 Discovering KillDisk in your network is already too late
− The attackers are already having a very reliable distributed foothold
in your network
− Cleanup/eradication is almost impossible
 It is critical to detect malicious invasion at early stages
− The very subtle traces left behind by the attackers
− Behavioral patterns

6. New wave of infection via spear fishing
July 14, 2016
Angry customer complains
about email from Diamantbank.
He supposedly has a large unpaid
debt with the bank which is now
threatening him with legal action.
Although the customer
understood it was a scam, he
OPENED the attachment.
Financial Portal
Don’t send me
this scam again!

7. Anti-spam detection
Malicious code is embedded into
romantic lyrics to avoid detection
by the spam detection algorithms
(e.g. ratio of text to code)

8. Signature-based detection evasion
Nesting doll: code
in the code
These pieces of code will eventually
assemble into malicious line of code
https://eugenebicyclist.files.wordpress.com/2012/04/nestingdolls.jpg

9. Macros grows aware of its surroundings
SandBox and ISP
detection routines
ISP detection
PowerShell start
Malicious URL
SandBox
detection
HTTP request for detecting
public IP of target

10. Obfuscation techniques
Making code looking
like a pure noise

11. Video
Oleksii Yasynskyi

12. Customization: your computer is special!
 And the attacker is interested to get
to know it as intimately as possible
 They put all their efforts to win system trust and
use it maximum to its potential
− 500 builds in just two weeks!
Hancitor

13. Detection challenges: permutations (1)
http://www.learnhowtosolvearubikscube.com/how-to-solve-a-rubiks-cube-solution-overview/
Is it still a
Rubik's Cube?
Are these parts of
Rubik’s Cube?
Rubik's Cube
http://rubiks.wikia.com/wiki/Disassembling_a_Rubik's_cube

14. This element in
the entire code
extracting
main code
Detection challenges: permutations (2)
This is a KillDisk,
malware with tiny
task with multiple
faces

15. Fills in blank
spaces after
few operations
Register which points to the memory location in where to unfol d the
virus
It is similar to a process of
putting together a puzzle
Blank spaces which will be
filled in the next iterations
as the virus unfolds itself
Detection challenges: permutations (2)

16. Detection opportunities
 Devising signatures for the whole
malware sample is ineffective due to
malware mutation
Instead
 Develop signatures for specific attack
techniques
 Hash-based function calls
− Approach proposed in ~ 2006
− LoadLibraryA & GetProcAddress are
commonly used in malware code
Win32/Spy.Bebloh (banking trojan)
Win32/PSW.Fareit (Trojan for stealing passwords)
Win32/Rustock (Backdoor)
Win32/TrojanDownloader.Carberp (Dropper of banking trojan Carberp)
Win32/Kelihos (Spam sender)

17. Meanwhile, back at the ranch…
SPEAR PHISHING ATTACK HITS
INDUSTRIAL COMPANIES
 ~500 organizations from 50 countries (active campaign)
− Vendors of industrial automation & field equipment
− Integrators and support contractors
 Very determined attacker
− Appears to target smaller companies first so that it can send legitimate looking
emails to larger companies
 Old tools carefully packed into new container
− Earlier unseen crypter for delivery of initial payload
− An array of tools for almost everything (remote administration, recon, data and
file collection, etc.)

18. Take aways (1)
 You will get hacked guests on your network
− E-commerce sector is already moving away from “end user host is
taken” attacker model to “end user application is taken”
− Detection/defenses at the level of work-flows and business processes
thetoptenz.net/animal-camouflage/
https://bybio.wordpress.com/tag/batesian-mimicry/
YOU
AGAIN?
 Camouflage and mimicry
− The adversary will blend into your infrastructure
as quickly as possible
− Business process owners must be included for
defining known “good” and “not good”

19. Uncovering disguise
Number of sessions under legitimate service account

20. Take aways (2)
http://hdcdnsun2.r.worldssl.net/sites/www.hypnosisdownloads.com/files/broken-heart-image.jpg
 Disjointed infrastructure monitoring approach is dead
− Bird eye look: real-time holistic monitoring across
multiple security and performance tools/applications
− And use their synergies

21. The most important take away
 In 1st investigation reconstructing
timeline took 4 months
− No tools (had to be developed)
− No previous similar experience
 Reconstructing timeline now takes
2 weeks
− With even greater detail
− You spare time and gain
knowledge to work on defenses
http://cdn.quotesgram.com/img/99/0/1555958381-lemons.jpg

22. Acknowledgement
 Honeywell team for incredible work environment and support
 Roman Sologub, General Manager, ISSP
 Aleksey Baranovsky, Head of Cyber Academy, ISSP
 Vladimir Dashchenko, Kaspersky Lab & ICS-CERT
And dear hackers for securing our jobs ;-)

23. Thank you
Marina Krotofil
marina.krotofil@honeywell.com
@marmusha
Oleksii Yasynskyi
oyasynskyi@isspgroup.com
@Aleksey_yas
https://socprime.com/en/blog/