THE MOTIVES, MEANS AND METHODS

OF CYBER-ADVERSARIES ADVANCED PERSISTENT RISKS TO BUSINESS

Vitaly Kamluk

Principal Security Researcher

Kaspersky Lab

PRESENTATION OVERVIEW

• About us

• What has been driving the cyber-attackers lately?

• Latest intrusion arsenal

• Most recent infiltration techniques

• Growing trends

• Summary

GREAT: ELITE THREAT RESEARCH

• Global Research and Analysis Team, since 2008

• Threat intelligence, research and innovation leadership

• Focus: APTs, critical infrastructure threats, banking threats,

sophisticated targeted attacks

Darkhotel

Miniflame

Gauss

RECENT HIGH PROFILE APT ATTACKS

Flame Stuxnet

Duqu

Kimsuki

Energetic Bear/

Crouching Yeti

Teamspy

Winnti

Icefog

2014 2013 2012 2011 2010

Regin

RedOctober

MiniDuke

NetTraveler Epic Turla

CosmicDuke

The Mask/Careto

Animal Farm

IN 2015…

CARBANAK

EQUATION GROUP

APT: A MITE IN YOUR NETWORK

• Hard to detect

• Almost impossible to get rid of

• And even if you do it comes

back again

MOTIVATION: WHAT ARE THEY LOOKING FOR?

• Your innovations and blueprints

• Business plans and budgets

• Routes to your shareholders and partners

MOTIVATION: WHAT ARE THEY LOOKING FOR?

• Digital certificates

• Your virtual credentials

• Physical access codes

MOTIVATION: WHAT ARE THEY LOOKING FOR?

• Scientific research results

• Government links

• List of secret studies

MOTIVATION: WHAT ARE THEY LOOKING FOR?

• Your business procedures

• Enterprise datasets

• Ways to control your company

MOTIVATION: WHAT’S THE ULTIMATE GOAL?

Money Power

MEANS: THE ARSENAL

0 – day 01 – day 1 – day

MEANS: THE ARSENAL

Digital certificates

• Invalid, fake certificates

• Certificates stolen from vendors

• Certificates by fake businesses

• Forged certificates

MEANS: THE ARSENAL

Malware tools:

• First stage implant

• Modular backdoors

Some capabilities:

• Filesystem control

• Cached password stealing

• Sound recording

• Screen grabbing

• Video casting and keylogging

• Removable media monitoring

• Smartphone infection and data snooping

MEANS: THE ARSENAL

The most advanced capabilities:

• Factoring RSA-1024 keys

• Live modification of OS updates

• OS boot process orchestration

• Jailbreaking mobile OS

• HDD firmware infection

• Mapping air-gapped networks

• Virtual registry-based encrypted filesystem

• GSM BSS hijacking

Copyright by Frontier Developments

METHODS: INFILTRATION TECHNIQUES

How they get to your systems:

• Spear-phishing emails

• Social Networks and Instant Messaging

• Watering holes

• Hospitality networks

• USB drives

• Interdiction

APAC LESSONS

• Massive IP theft by Chinese hackers

• Cybersabotage / wiper attack in South Korea

• Darkhotel hospitality network attacks

• RSA key factoring

• Watering hole and Torrent file infections

• Sony hack

• Cyberattack against nuclear facility in Korea

• DDoS against Github

TRENDS ON THE RISE

• APT techniques are adopted by

cybercriminals

• Business supply chains are

getting attacked

• Cybermercenaries are becoming

a “commodity”

• Nation states are building larger

botnets

• Hospitality networks are being

used to track and compromise

high-profile victims

CONCLUSIONS

Remember, we told

you years ago…

We are here to save the world.

CONCLUSIONS

It’s time to choose

your digital bodyguard!

CONCLUSIONS

STAY CLOSER!

THANK YOU!

Vitaly Kamluk

Principal Security Researcher

Kaspersky Lab