Documents
CSE: Hackers Are Humans Too – Partial
Aug. 2, 2017
TS/I SI//REL TO CAN , AUS , GBR , NZL, and USA
•••
Commun icatio ns Security
Establishment Canada
Centre de la securite
des telecommun ications Canada
Hackers are Humans too
Cyber leads to Cl leads
Safeguarding Canada ' s security through information superiority
Preserver la securite du Canada par la superiorite de /'information
Canada
1
TS/I SI//REL TO CAN , AUS , GBR , NZL, and USA
•••
Commun icatio ns Security
Establishment Canada
Centre de la securite
des telecommun ications Canada
Hackers are Humans too
Cyber leads to Cl leads
Safeguarding Canada ' s security through information superiority
Preserver la securite du Canada par la superiorite de /'information
Canada
1
Security
I Communications
I ....,
"'I"
Establishment Canada
TSl/ SI//REL TO CAN , AUS , GBR , NZL, and USA
Centre de la securite
des telecommunications Canada
Introductions
•
• Cyber-counterintelligence
• My primaryfocus is MAKERSMARK (Russia)
• CSEC - Covert NetworkThreat (CNT) group
- New name, same Cyber/CI groupyou know and love
- Cyber and traditionalCl sittingside by side
- Focusedon Foreign Intelligence,not Information
Assurance
Safeguarding Canada's security through information superiority
Preserver la securite du Canada par la superiorite de /'information
Canada
2
Security
I Communications
I ....,
"'I"
Establishment Canada
TSl/ SI//REL TO CAN , AUS , GBR , NZL, and USA
Centre de la securite
des telecommunications Canada
Introductions
•
• Cyber-counterintelligence
• My primaryfocus is MAKERSMARK (Russia)
• CSEC - Covert NetworkThreat (CNT) group
- New name, same Cyber/CI groupyou know and love
- Cyber and traditionalCl sittingside by side
- Focusedon Foreign Intelligence,not Information
Assurance
Safeguarding Canada's security through information superiority
Preserver la securite du Canada par la superiorite de /'information
Canada
2
TS/I SI//REL TO CAN , AUS , GBR , NZL, and USA
1. 1
Communications Security
Establishment Canada
Centre de la securite
des telecommunications Canada
Goals
• How do we attribute cyber intrusion sets?
• How do we go beyond the hacking face of a
CNE program?
- Expose management structure, operators
- Requirements , technological advances
• This presentation portrays only one method
- Passive infrastructure tasking/contact chaining
- Many other are available
Safeguarding Canada's security through information superiority
Preserver la securite du Canada par la superiorite de /'information
Canad a
3
TS/I SI//REL TO CAN , AUS , GBR , NZL, and USA
1. 1
Communications Security
Establishment Canada
Centre de la securite
des telecommunications Canada
Goals
• How do we attribute cyber intrusion sets?
• How do we go beyond the hacking face of a
CNE program?
- Expose management structure, operators
- Requirements , technological advances
• This presentation portrays only one method
- Passive infrastructure tasking/contact chaining
- Many other are available
Safeguarding Canada's security through information superiority
Preserver la securite du Canada par la superiorite de /'information
Canad a
3
TS/I SI//REL TO CAN , AUS , GBR , NZL, and USA
•••
Commun icatio ns Security
Establishment Canada
Centre de la securite
des telecommun ications Canada
Initial Seed
• Infrastructuretasking
- Mostlyexposedthroughmalware/contentdelivery
• Careful and manual monitoringof anomalous
networksessions
• Nothingfancy
• Not Web 2.0, but it works
Safeguarding Canada's security through information superiority
Preserver la securite du Canada par la superiorite de /'information
Canada
4
TS/I SI//REL TO CAN , AUS , GBR , NZL, and USA
•••
Commun icatio ns Security
Establishment Canada
Centre de la securite
des telecommun ications Canada
Initial Seed
• Infrastructuretasking
- Mostlyexposedthroughmalware/contentdelivery
• Careful and manual monitoringof anomalous
networksessions
• Nothingfancy
• Not Web 2.0, but it works
Safeguarding Canada's security through information superiority
Preserver la securite du Canada par la superiorite de /'information
Canada
4
TSl/ SI//REL TO CAN , AUS , GBR , NZL, and USA
•••
Commun ications Security
Establishment Canada
Centre de la securite
des telecommun ications Canada
Overview
• MAKERSMARK
Misuse of OperationalInfrastructure
Poor OPSEC practices
Safeguarding Canada's security through information superiority
Preserver la securite du Canada par la superiorite de /'information
Canada
5
TSl/ SI//REL TO CAN , AUS , GBR , NZL, and USA
•••
Commun ications Security
Establishment Canada
Centre de la securite
des telecommun ications Canada
Overview
• MAKERSMARK
Misuse of OperationalInfrastructure
Poor OPSEC practices
Safeguarding Canada's security through information superiority
Preserver la securite du Canada par la superiorite de /'information
Canada
5
TS/I SI//REL TO CAN , AUS , GBR , NZL, and USA
•••
Commun icatio ns Security
Establishment Canada
Centre de la securite
des telecommun ications Canada
MAKERS
MARK
(Russian CNE)
Designedby geniuses
Implementedby morons
Safeguarding Canada ' s security through information superiority
Preserver la securite du Canada par la superiorite de /'information
Canada
6
TS/I SI//REL TO CAN , AUS , GBR , NZL, and USA
•••
Commun icatio ns Security
Establishment Canada
Centre de la securite
des telecommun ications Canada
MAKERS
MARK
(Russian CNE)
Designedby geniuses
Implementedby morons
Safeguarding Canada ' s security through information superiority
Preserver la securite du Canada par la superiorite de /'information
Canada
6
TS/I SI//REL TO CAN , AUS , GBR , NZL, and USA
1. 1
Communications Security
Establishment Canada
Centre de la securite
des telecommunications Canada
MAKERS
MARK
• The MAKERSMARK less attributed(LA)
systemsare reallywell designed
• This has not translatedinto securityfor
MAKERSMARKoperators
• PersonalbrowsingthroughLA systems
- Workshops,ORBs, and controllers
• Developmentshop infectedby crimeware
-
4th
party collection
Safeguarding Canada's security through information superiority
Preserver la securite du Canada par la superiorite de /'information
Canada
7
TS/I SI//REL TO CAN , AUS , GBR , NZL, and USA
1. 1
Communications Security
Establishment Canada
Centre de la securite
des telecommunications Canada
MAKERS
MARK
• The MAKERSMARK less attributed(LA)
systemsare reallywell designed
• This has not translatedinto securityfor
MAKERSMARKoperators
• PersonalbrowsingthroughLA systems
- Workshops,ORBs, and controllers
• Developmentshop infectedby crimeware
-
4th
party collection
Safeguarding Canada's security through information superiority
Preserver la securite du Canada par la superiorite de /'information
Canada
7
TS/I SI//REL TO CAN , AUS , GBR , NZL, and USA
•••
Commun icatio ns Security
Establishment Canada
Centre de la securite
des telecommun ications Canada
MAKERSMARK: Less Attributed Overview .
SIGINT Intercept
Spoofe d Source IP
MAKERSMARK
Safeguarding
Canada's
security through information
superiority
Preserver la securite du Canada par la superiorite de /'information
Canad a
8
TS/I SI//REL TO CAN , AUS , GBR , NZL, and USA
•••
Commun icatio ns Security
Establishment Canada
Centre de la securite
des telecommun ications Canada
MAKERSMARK: Less Attributed Overview .
SIGINT Intercept
Spoofe d Source IP
MAKERSMARK
Safeguarding
Canada's
security through information
superiority
Preserver la securite du Canada par la superiorite de /'information
Canad a
8
TS/I SI//REL TO CAN , AUS , GBR , NZL, and USA
1. 1
Communications Security
Establishment Canada
Centre de la securite
des telecommunications Canada
MAKERSMARK: Misuse of Infrastructure
• Less Attributableinfrastructureused for highly
attributablepurposes:
- Hostingimplantcallbackservers
- Live testingof new implantprotocols
- Collectingexfiltration
• This is not CNE best practices
Safeguarding Canada's security through information superiority
Preserver la securite du Canada par la superiorite de /'information
Canada
9
TS/I SI//REL TO CAN , AUS , GBR , NZL, and USA
1. 1
Communications Security
Establishment Canada
Centre de la securite
des telecommunications Canada
MAKERSMARK: Misuse of Infrastructure
• Less Attributableinfrastructureused for highly
attributablepurposes:
- Hostingimplantcallbackservers
- Live testingof new implantprotocols
- Collectingexfiltration
• This is not CNE best practices
Safeguarding Canada's security through information superiority
Preserver la securite du Canada par la superiorite de /'information
Canada
9
TS/I SI//REL TO CAN , AUS , GBR , NZL, and USA
1. 1
Commun icatio ns Security
Establishment Canada
Centre de la securite
des telecommun ications Canada
MAKERSMARK: Misuse of LA Systems
• PersonalSocial Networking
- Vkontakt
- (mail/inbox/bk).ruaccounts
• PersonalEmail
y'/,-,;
~...r.
- Webmail/POP
- Personalretrievalthroughmasquerading
infrastructure
~~
/If / ,
.II'/
W
.fr -11
1·
• Personalweb browsing
Safeguarding
Canada's
security through information
superiority
Preserver la securite du Canada par la superiorite de /'information
Canada
10
TS/I SI//REL TO CAN , AUS , GBR , NZL, and USA
1. 1
Commun icatio ns Security
Establishment Canada
Centre de la securite
des telecommun ications Canada
MAKERSMARK: Misuse of LA Systems
• PersonalSocial Networking
- Vkontakt
- (mail/inbox/bk).ruaccounts
• PersonalEmail
y'/,-,;
~...r.
- Webmail/POP
- Personalretrievalthroughmasquerading
infrastructure
~~
/If / ,
.II'/
W
.fr -11
1·
• Personalweb browsing
Safeguarding
Canada's
security through information
superiority
Preserver la securite du Canada par la superiorite de /'information
Canada
10
TS/I SI//REL TO CAN , AUS , GBR , NZL, and USA
1. 1
Communications Security
Establishment Canada
Centre de la securite
des telecommunications Canada
MAKERSMARK:
4th
party collection
• Implant development shop infected by
GUMBLAR botnet
- Crimeware
- Sends pharmaceutical spam
• Exfiltration to Canadian "bullet proof' host
- HTTP/FTP logins
- Collection of MM operator browsing habits
- MM LiveJournal accounts included in collection
Safeguarding
Canada's
security through information
superiority
Preserver la securite du Canada par la superiorite de /'information
Canad a
11
TS/I SI//REL TO CAN , AUS , GBR , NZL, and USA
1. 1
Communications Security
Establishment Canada
Centre de la securite
des telecommunications Canada
MAKERSMARK:
4th
party collection
• Implant development shop infected by
GUMBLAR botnet
- Crimeware
- Sends pharmaceutical spam
• Exfiltration to Canadian "bullet proof' host
- HTTP/FTP logins
- Collection of MM operator browsing habits
- MM LiveJournal accounts included in collection
Safeguarding
Canada's
security through information
superiority
Preserver la securite du Canada par la superiorite de /'information
Canad a
11
TS/I SI//REL TO CAN , AUS , GBR , NZL, and USA
1. 1
Communications Security
Establishment Canada
Centre de la securite
des telecommunications Canada
Closing Remarks
• You have to keep an eye out
- A lot of value can be lost by not followingleads
- Typicallythe windowto exploitinformationis short
- Knowingwhat to lookfor is half the battle
• These exploitationopportunitiesdon't last
forever
• As a CNE programmatures,so will its OPSEC
Safeguarding Canada's security through information superiority
Preserver la securite du Canada par la superiorite de /'information
Canada
24
TS/I SI//REL TO CAN , AUS , GBR , NZL, and USA
1. 1
Communications Security
Establishment Canada
Centre de la securite
des telecommunications Canada
Closing Remarks
• You have to keep an eye out
- A lot of value can be lost by not followingleads
- Typicallythe windowto exploitinformationis short
- Knowingwhat to lookfor is half the battle
• These exploitationopportunitiesdon't last
forever
• As a CNE programmatures,so will its OPSEC
Safeguarding Canada's security through information superiority
Preserver la securite du Canada par la superiorite de /'information
Canada
24
TS/I SI//REL TO CAN , AUS , GBR , NZL, and USA
•••
Commun icatio ns Security
Establishment Canada
Centre de la securite
des telecommun ications Canada
Questions?
Safeguarding Canada ' s security through information superiority
Preserver la securite du Canada par la superiorite de /'information
Canad a
25
TS/I SI//REL TO CAN , AUS , GBR , NZL, and USA
•••
Commun icatio ns Security
Establishment Canada
Centre de la securite
des telecommun ications Canada
Questions?
Safeguarding Canada ' s security through information superiority
Preserver la securite du Canada par la superiorite de /'information
Canad a
25