BigDataIgnite

1All material confidential and proprietary

EXPLOITATION OF GEO-POLITICAL EVENTS BY STATE-SPONSORED ADVERSARIES

SECURITY DATA ANALYTICS


THE OTHER 2 VS OF BIG-DATA

•Volume - ✔

•Velocity - ✔

•VARIETY - ?

•VERACITY - ???Source:http://www.ibmbigdatahub.com/infographic/four-vs-big-data


SOUTH CHAINA SEA

•⅓ of the world's oil / $5T in global trade, energy rich area•Multi-national dispute over territorial claims•China claims the most of the region; has been the most assertive•China’s cyber efforts support a robust political, economic, and military effort•China claims it’s a victim not an adversary


WHEN REAL & CYBER WORLDS MEETTHE NAIKON APT (Advanced Persistence Threat)

•Conducts “high-volume, high-profile, geopolitically motivated attacks” since at least 2010

•Campaigns focus on individual countries, with toolsets deployed against a range of organizations

•Email as an attack vector

•Precise social engineering to identify targets

•Use of decoy documents, timely events as bait


MEET GREENSKY27•The malwares associated with Naikon APT talked to certain Command and Control (C&C) servers

•An oddball in what was largely a set of domains generated by algorithms (DGA) was “greensky27.vicp.net”

•Greensky27 has a long history going back 5 years

•What is a moniker doing in machine generated data ?


KUNMING; THE CENTER OF UNIVERSE

•DOMAINs map to IP Addresses• IP Addresses belong to

ASNs• ASNs are more or less

static and give us locations.•Greensky27 changed

IPs, a lot!


IP BASED BLOCKING NOT ENOUGH

• 80% IPs used were disposed within a day• 99% IPs were used only

3 times or less; 50% were never used.

HAIKU TIMEIPs are cheap; Adversary is smart; Good luck with that firewall!


CHI-SQURED CHI-NA

• A simple test of statistical independence confirms that not all locations play the same part in this drama.

• Certain Locations for mission activities and others for pit stops.


MEET GREENSKY27

•Turns out it’s an alias used by an actual water-ware (human, get it?)•Pivot from security data to social media and beyond.•We found a greensky27 on Weibo. A certain Mr. Ge Xing.•Stays in Kunming; Loves to post every little detail of his personal life; Works for the Chinese Military unit 78020•DOESN’T WEAR A HOODIE OR A BLACLAVA!


EVEN HACKERS NEED WORK-LIFE BALANCE


WHY DO THIS?•Threat Intelligence!•You have limited money/time/personnel to spend on security and your adversary has a seemingly endless supply of all three.•The more comprehensive your understanding of the security game, the better your risk management.•Don’t let your offence make the same mistake as your opponents.•Big data is not only about volume/velocity.


AND NOW FOR SOMETHINGCOMPLETELY DIFFERENT


US ELECTIONS 2016!!!•Marcel Lahel (aka Guccifer) a Romanian hacker laid claims to hacking Hilary Clintons personal email server without offering any evidence to back claim.

•Crowdstrike, a US InfoSec firm found Guccifer’s activities resembling Fancy Bear/ Cozy Bear APTs, and suspected Russian state hand.

•A huge treasure trove of emails from 7 DNC staff members and other documents released on Wikileaks by Guccifer 2.0

•The leaks created a huge firestorm in US which still continues to burn.


FAKETIVISM

•We have always fancied and admired our hackers.•Kevin Mitnick, Adriam Lamo, Kim Dotcom, Julian Assange, Edward Snowden

BUT…•How do you tell a hacktivist apart from a faketivist, a state sponsored stooge working relentlessly to advance his countries propaganda behind the veil of internet vigilantism?


SPELL CHEKC PLEASE

•misdepatrment[.].com spoofed misdepartment.com a legitimate MIS Department domain.•MIS lists DNC as one of its client. Domain spoofing is very common and very effective too.•But Wait misdepatrment[.]com ownership information shows Paris, France.•Upon pivoting we found that the IP which hosted it hosted other suspicious domains too.


VERACITY OF RUSSIAN ORIGIN•The additional infrastructure consistent with Russian APT actors.•Victims consistent with known targeting groups.

BUT…•Enter Guccifer 2.0, a self proclaimed Romanian hacker not involved with Russia claiming responcibility for DNC •Creates social media accounts / blogs ridicules research and posts even more sensetive information.


TIMELINE of EVENTS


WHAT DOES THE DATA SAY?•Analysis of competing hypothesis to produce best available information from uncertain data.•Activists seek glory, Guccifer 2.0 was oddly quite up until the hack was exposed.•The integrity of leaked documents was questionable.•Inconsistencies found in claims about hacking methodology.•Language analysis found inconsistencies about the Romanian origin claim.


THE SHIЙY ФBJЭKT?

•Purposeful breadcrumbs left behind to mislead analysts.•Internet blog / social media persona emerges only after discovery of hacking.•Overlap in infrastructure used by Guciffer 2.0 and Fancy Bear.

BUT…•Why alter the documents and create doubt?•Purposeful interference in US elections risks retaliation.


FINAL WORD•Enough evidence to suggest that Guccifer 2.0 is part of a Russian denial and deception campaign.•Claims of independent hacker origin very hard to back up.•Hacktivism and social reformist claims are very very suspicious.•Most likely intention is to present a controlled version of the truth. Worst case scenario influence the US elections directly.


IF ALL THIS WAS NOT ENOUGH• https://threatconnect.com/camerashy/

• https://threatconnect.com/blog/tapping-into-democratic-national-committee/

• https://threatconnect.com/blog/guccifer-2-0-dnc-breach/

• https://threatconnect.com/blog/whats-in-a-name-server/

• https://threatconnect.com/blog/guccifer-2-all-roads-lead-russia/

• https://threatconnect.com/blog/fancy-bear-it-itch-they-cant-scratch/

• https://threatconnect.com/blog/does-a-bear-leak-in-the-woods/

• https://threatconnect.com/blog/fancy-bear-anti-doping-agency-phishing/


THANK YOU!

Documents

BigDataIgnite