Learn about the history of Russian intelligence influence operations and the cyber actors implementing them today.
In June 2016, CrowdStrike exposed unprecedented efforts by Russian intelligence services to interfere in the U.S. election via the hacking and subsequent leaking of information from political organizations and individuals. Election manipulation was not a new activity for the Russians - they have engaged in these influence operations consistently for the better part of the last two decades inside and outside of Russia.
In this CrowdCast, CrowdStrike experts Adam Meyers, VP of Intelligence, and Dmitri Alperovitch, Co-Founder & CTO, will provide a detailed overview of the history of Russian intelligence influence operations going back decades and provide a deep dive overview of various BEAR (including FANCY BEAR AND COZY BEAR) intrusion sets and their tactics, techniques and procedures (TTPs). They will also discuss the considerable attribution evidence that CrowdStrike has collected from a variety of investigations into their operations and lay out the case for the Russian government connection to these hacks.
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Bear Hunting: History and Attribution of Russian Intelligence Operations
1. 2017 CROWDSTRIKE, INC. ALL RIGHTS RESERVED.
BEAR HUNTING:
HISTORY AND ATTRIBUTION
OF RUSSIAN INTELLIGENCE OPERATIONS
DMITRI ALPEROVITCH, CTO
ADAM MEYERS, VP INTEL
2. DMITRI
ALPEROVITCH
§ Co-Founder & CTO, CrowdStrike
§ Former VP Threat Research, McAfee
§ Author of Operation Aurora,
Night Dragon, Shady RAT reports
§ MIT Tech Review’s Top 35 Innovator
Under 35 for 2013
§ Foreign Policy’s Top 100 Leading
Global Thinkers for 2013
§ Politico’s Top 50 in 2016
A LITTLE ABOUT ME:
3. ADAM MEYERS
§ VP of Intelligence, CrowdStrike
§ +15 years security experience
§ Extensive experience building and leading
intelligence practices in both the public and
private sector
§ Sought-after thought leader: conducts speaking
engagements & training classes on threat
intelligence, reverse engineering, and data breach
investigations
A LITTLE ABOUT ME:
4. Cloud Delivered Endpoint Protection
MANAGED
HUNTING
ENDPOINT DETECTION
AND RESPONSE
NEXT-GEN
ANTIVIRUS
CrowdStrike is the only security technology provider to unify next-gen AV and EDR into a
single agent, backed by 24/7 proactive threat hunting – all delivered in via the cloud
2017 CROWDSTRIKE, INC. ALL RIGHTS RESERVED.
5. DEMOCRATIC
NATIONAL
COMMITTEEQuick refresher on why everyone now cares about
Russian intrusion operations
2017 CROWDSTRIKE, INC. ALL RIGHTS RESERVED.
ORDER OF EVENTS:
§ DNC hires CrowdStrike for Compromise
Assessment of their corporate network at
the end of April 2016
§ CrowdStrike deployed Falcon Host endpoint
technology in early May 2016 and
immediately identified evidence of
intrusions by two separate actors - COZY
BEAR and FANCY BEAR.
§ Forensic analysis uncovered evidence of
compromise by FANCY BEAR in mid April
2016 and COZY BEAR in the summer of 2015
§ Remediation efforts to remove adversary
from DNC corporate network was conducted
in early July 2016.
6. 2017 CROWDSTRIKE, INC. ALL RIGHTS RESERVED.
"You know, comrades, that I think in regard to this:
I consider it completely unimportant who in the party
will vote, or how;but what is extraordinarily important is
this — who will count the votes, and how."
Joseph Stalin, 1923
Source: The Memoirs of Stalin's Former Secretary (1992)
7. THE BEGINNING: ОХРАНКА
2017 CROWDSTRIKE, INC. ALL RIGHTS RESERVED.
1860s:
Political Terror
in Russia
1900s:
1917:
Formation of Cheka
(NKVD, MGB, KGB,
FSB)
FSB 1st Main Department
(Foreign Intelligence),
Service “A”:
Active Measures
(Дезинформация)
1918:
Formation
of GRU
8. RECENT HISTORY: КОМПРОМАТ
2017 CROWDSTRIKE, INC. ALL RIGHTS RESERVED.
1999:
’Man, who looks
like Attorney
General’
2014:
Colonel Ilyushin of GRU
caught collecting personal
kompromat on President
Hollande
2010:
Sex Tapes with Katya
2016:
Lisa Affair
2014:
March: CyberBerkut
launch (prior to Crimea)
9. Feb 2014: Klichko party email leaks
MANIPULATING ELECTIONS
2017 CROWDSTRIKE, INC. ALL RIGHTS RESERVED.
May 2014: Presidential Election in Ukraine
Destructive Attack against Ukranian Election Commission
CyberBerkut DDoSes Ukranian Election Website
Russian TV shows doctored election results
CyberBerkut DDoSes Ukranian Election Website
October 2014: Parliamentary Election in Ukraine
CyberBerkut Hacks Election Billboards in Kiev
10. 2017 CROWDSTRIKE, INC. ALL RIGHTS RESERVED.
• Intelligence powers
everything we do
• All Source methodology
• Adversary profiling and
campaign tracking
• Human analysis coupled with
platform automation
• Intelligence consumable by
human decision makers and
enterprise systems
CrowdStrike
Intelligence
12. RUSSIAN INTELLIGENCE SERVICES
Sergey Shoygu
Minister of Defense
Lieutenant General
Igor Korobov
Director of GRU
Sergey Naryshkin
Director SVR
Alexander Bortnikov
Director FSB
2017 CROWDSTRIKE, INC. ALL RIGHTS RESERVED.
13. RUSSIAN INTERESTS - TODAY
§ Political Dissidents/Trouble
Makers
§ Terrorists
§ Spies
§ The Near Abroad/CIS
§ NATO/Europe
§ Elections
§ Energy/Trade
§ China
§ Ukraine
§ Syria
§ Turkey
§ Sports/Doping/World Cup
2017 CROWDSTRIKE, INC. ALL RIGHTS RESERVED.
14. CAPABILITIES AND
INTENTIONS
Understanding the adversary
§ OSS created Research and Analysis
Branch in 1942, OSINT on adversary
news and publications provides
invaluable intel
§ General Valery Gerasimov published:
“The Value of Science Is in the Foresight: New
Challenges Demand Rethinking the Forms and
Methods of Carrying out Combat Operations”
§ Hybrid War for Regime Change
§ Step 1: Cause dissent (media, cyber,
activists, little green men)
§ Step 2: Sanctions due to instability or
oppressive actions
§ Step 3: Military force sent in to restore
order
§ Step 4: New leadership/regime
2017 CROWDSTRIKE, INC. ALL RIGHTS RESERVED.
15. Obtain better outcomes using the interwebs
CYBER GERASIMOV
§ Leverage/Incite dissident hackers in the target country
§ If none exist – Make one up ¯_(ツ)_/¯
§ DDoS attacks to disrupt infrastructure and cause panic/confusion
§ Hack media and plant fake articles
§ DOX political targets
§ Use army of trolls to build base
§ Create confusion/fear/panic
2017 CROWDSTRIKE, INC. ALL RIGHTS RESERVED.
17. § November 24 2015 – Turkish F-16 shoots
down Russian SU-24 operating in Syria AO
§ November 27 2015 – First DDoS attacks
against Turkish targets detected
§ December 18 2015 – FSB raids Turkish banks
on suspicion of money laundering, at the
same time DDoS observed against Turkish
Banks
§ January 2016 DDOS against Ministry of
Transportation, the Russian Postal System,
the Federal Security Service (FSB), and the
Central Bank of Russia.
ATTACKS AGAINST
TURKEY
Following the downing of SU-24 FENCER
2017 CROWDSTRIKE, INC. ALL RIGHTS RESERVED.
18. § March 2016 – BERSERK BEAR targeting of European
Energy Company aligns with downing of SU-24 Fencer
§ April 2016 - The Turkish Central Population
Management System, MERNIS experiences data leak
of 50 million records
§ May 2016 - multiple hospitals in Turkey’s Diyarbakir
province were affected by a cyber attack with
questionable attribution claims
§ July 2016- BERSERK BEAR targeted a website
belonging to a non-governmental organization (NGO)
within Turkey. The targeted NGO is focused on the
development of commerce between Turkish and
European Union (EU) interests
§ July 2016 – Attempted Coup against Turkish
President Recep Tayyip Erdoğan
ATTACKS AGAINST
TURKEY
Following the downing of SU-24 FENCER
2017 CROWDSTRIKE, INC. ALL RIGHTS RESERVED.
19. FANCY BEAR
§ Targeting: Geopolitical Targets of
Interest to Russia, Military/Defense
Technologies, Media
§ Tactics/Techniques/Procedures:
Multiple 0-day such as CVE-2015-7645,
Custom cross platform
implants/Downloaders
Xagent/Downrage/etc, Phishing using
domains similar to target mail server,
Spear Phishing
§ Also Known As: APT28, Sofacy, Tsar
Team, Sednit
2017 CROWDSTRIKE, INC. ALL RIGHTS RESERVED.
20. DANGER CLOSE
The case of Ukraine Artillery
§ During routine hunting conducted by
CrowdStrike researchers, Попр-Д30.apk
was identified containing X-Agent
remote access capabilities
§ Analysis reveals The filename Попр-
Д30.apk is mentioned on a Ukrainian
file-sharing forum in December 2014
§ The benign Попр-Д30 application
assists with ballistic computations in
support of the D-30 122mm Howitzer
§ The D-30 used by Ukrainian
government forces during the same
time frame the app was in circulation.
2017 CROWDSTRIKE, INC. ALL RIGHTS RESERVED.
21. X-AGENT ANDROID
Analysis of capabilities
§ The app requires an activation step that is
authorized by a Ukrainian individual and
requires interacting with the individual via
a separate communication channel
§ The registration with a Ukrainian individual
indicates the app is most likely intended to
be used by Ukrainian forces only.
§ Permissions Requested:
§ READ_CONTACTS
§ READ_SMS
§ GET_ACCOUNTS
§ INTERNET
§ ACCESS_NETWORK_STATE
§ ACCESS_WIFI_STATE
§ READ_PHONE_STATE
§ CHANGE_NETWORK_STATE
§ ACCESS_COARSE_LOCATION
§ WAKE_LOCK
§ READ_CALL_LOG
2017 CROWDSTRIKE, INC. ALL RIGHTS RESERVED.
22. X-AGENT ANDROIDAnalysis of capabilities
2017 CROWDSTRIKE, INC. ALL RIGHTS RESERVED.
Command Description
100 Retrieve SMS history and details
101 Reconnaissance of device
102 Retrieve call history details
104 Retrieve contact details
106 Retrieve installed app details
107 Retrieve Wifi Details
109 Retrieve browser history and
bookmarks
110 Retrieve data usage details
111 List Files/Folders on Storage
112 Exfiltrate specified File
23. SIDE BY SIDE
§ Left is unmodified
Попр-Д30.apk as deployed
by author
§ Right is Попр-Д30.apk
containing additional classes
with X-Agent Implant
2017 CROWDSTRIKE, INC. ALL RIGHTS RESERVED.
24. CRYPTOGRAPHIC OVERLAP
§ RC4 key used by X-agent is 50 bytes, Linux X-Agent identified with 46 identical
bytes
§ RC4 Key from X-agent Попр-Д30.apk Android Implant:
3B C6 73 0F 8B 07 85 C0 74 02 FF CC DE C7 04 3B FE 72 F1 5F 5E C3 8B FF 56 B8 D8 78 75 07
50 E8 B1 D1 FA FE 59 5D C3 8B FF 55 8B EC 83 EC 10 A1 33 35
§ RC4 Key from X-agent Linux Implant:
3B C6 73 0F 8B 07 85 C0 74 02 FF D0 83 C7 04 3B FE 72 F1 5F 5E C3 8B FF 56 B8 D8 78 75 07
50 E8 B1 D1 FF FF 59 5D C3 8B FF 55 8B EC 83 EC 10 A1 33 35
2017 CROWDSTRIKE, INC. ALL RIGHTS RESERVED.
25. SIDE BY SIDE C2 PROTOCOL ARTIFACTS
§ Command and Control protocol
across X-Agent is consistent
§ Left C2 Artifacts from a Windows X-
Agent implant
§ Right C2 Artifacts from Попр-Д30.apk
Android Implant
2017 CROWDSTRIKE, INC. ALL RIGHTS RESERVED.
26. CONNECTING THE DOTS
2017 CROWDSTRIKE, INC. ALL RIGHTS RESERVED.
C2 Server
69.90.132.215
previously tied to
domain associated
with Fancy Bear
DownRage
27. TIMELINE
§ 20 February 2013 to 13 April 2013 tool marks indicate the
development of the legitimate version of Попр-Д30.apk
§ November 2013 Euromaidan
§ February 2014 President Yanukovych flees Ukraine
§ March 2014 Annexation of Crimea
§ Spring 2014 Pro-Russian separatists in the eastern
Ukraine declare independence
§ Summer of 2014 Ukrainian forces begin initiative to
retake territory claimed by separatists
§ MH17 Downed
§ February 2015 Cease fire signed which will be routinely
violated
2017 CROWDSTRIKE, INC. ALL RIGHTS RESERVED.
28. FREQUENTLY ASKED QUESTIONS
§ Is the X-Agent source code In The Wild?
§ We have not identified any public sources of the X-agent code
§ How could the source code be obtained?
§ For linux variants of X-agent the source is typically deployed to the target system to build the
kernel drivres required, forensic investigation may permit the recovery
§ Did the malicious APK use GPS?
§ No, in the report we reference Gross Positional Data which is uses cellular (Coarse) position
§ Did the malicious APK bypass the activation by the developer?
§ No, regardless of whether the APK was the original or modified the author would still provide
access codes without knowing if the application was tampered with
§ What evidence is there that the malicious APK was used by Ukrainian military?
§ The APK was available on Ukrainian file sharing forums
§ Were D-30 122mm howitzers destroyed as a result of the APK?
§ We do not know, based on publicly available data there is evidence suggesting a
disproportionate loss of D-30 by Ukrainian forces
2017 CROWDSTRIKE, INC. ALL RIGHTS RESERVED.
29. Upcoming CrowdCast:
Thursday, January 12
Cloud-Enabled: The Future of Endpoint Security
Contact Us
Email: crowdcasts@crowdstrike.com
Twitter: @CrowdStrike