O slideshow foi denunciado.
Utilizamos seu perfil e dados de atividades no LinkedIn para personalizar e exibir anúncios mais relevantes. Altere suas preferências de anúncios quando desejar.

Viktor Zhora - Cyber and Geopolitics: Ukrainian factor

386 visualizações

Publicada em

Hidden details of some high profile hacks of the last 3 years from the guy, who happens to deal with geopolitical cyber-attacks for a living.
Follow Viktor on Twitter: https://twitter.com/VZhora

Publicada em: Tecnologia
  • Entre para ver os comentários

  • Seja a primeira pessoa a gostar disto

Viktor Zhora - Cyber and Geopolitics: Ukrainian factor

  1. 1. Cyber and Geopolitics: Ukrainian factor Victor Zhora UISG, Member of Board
  2. 2. Agenda • Election’s Hack – Cyberberkut – First messages – Versions • DNC Hack – Circumstances – Results • Press and follow-up
  3. 3. Election hack, 22-25/05/2014 Phases • “Elections” System destruction/disruption • Displaying of fake election results • DDoS attack on CEC website
  4. 4. Cyberberkut, 23/05/2014
  5. 5. Nalyvaichenko, 23/05/2014 • "Yesterday, an infected program was destroyed. On May 25, the virus had to destroy the election results. The virus has been eliminated, the software has been replaced.”
  6. 6. CERT-UA
  7. 7. Versions • Malware (Uroboros, Sofacy ???) • Insider • Cisco 0-day • Web shell • SOESoftware
  8. 8. Version #1: Sofacy
  9. 9. Version #1: Sofacy • Nikolay Koval: “The technical aspects of this hack also tell us something very important: the hackers were professionals. Beyond disabling the site and successfully displaying incorrect election results, CERT-UA discovered advanced cyber espionage malware on the CEC network (Sofacy/APT28/Sednit).” • My question: which one? Sofacy, X-agent…?
  10. 10. Version #2: Cisco 0-day • Cyberberkut: “We hacked CEC network via 0-day vulnerability in Cisco ASA”
  11. 11. Version #3: Web shell, SOESoftware • Web shell had been probably used for placing of a Yarosh picture and changing of a content according to circumstances • Web server logs show only several connections, shell wasn’t widely used • Persistent access had been arranged long before elections
  12. 12. Yarosh picture
  13. 13. Yarosh picture • Nikolay Koval: “On 25 May – election day – 12 minutes before the polls closed (19:48 EET), the attackers posted on the CEC website a picture of Ukrainian Right Sector leader Dmitry Yarosh, incorrectly claiming that he had won the election. This image was immediately shown on Russian TV channels.”
  14. 14. WSJ, 09/11/2015 • Margaret Coker, Paul Sonne
  15. 15. US Media
  16. 16. 2016 Democratic National Committee email leak, 22/07/2016 • 19,252 emails and 8,034 attachments leaked to and subsequently published by WikiLeaks • Idea of leaked emails: sabotage Bernie Sanders’ election campaign • 08/11/2016 – Election Day • 09/12/2016 - the CIA told that the US Intelligence Community concluded Russia conducted operations during the 2016 U.S. election to prevent Hillary Clinton from winning the presidency
  17. 17. DNC Hack • “Guccifier 2.0” (Romanian???) claimed to be the source of the leaks • CrowdStrike, Fidelis Cybersecurity, Mandiant, SecureWorks, and ThreatConnect, and the editor for Ars Technica, stated the leak was part of a series of cyberattacks on the DNC committed by two Russian intelligence groups
  18. 18. DNC Hack • 06/10/2016, Joint Statement from the Department Of Homeland Security and Office of the Director of National Intelligence on Election Security – “The U.S. Intelligence Community (USIC) is confident that the Russian Government directed the recent compromises of e-mails from US persons and institutions, including from US political organizations. The recent disclosures of alleged hacked e-mails on sites like DCLeaks.com and WikiLeaks and by the Guccifer 2.0 online persona are consistent with the methods and motivations of Russian-directed efforts”
  19. 19. DNC Hack • 06/10/2016, Joint Statement from the Department Of Homeland Security and Office of the Director of National Intelligence on Election Security – “These thefts and disclosures are intended to interfere with the US election process. Such activity is not new to Moscow—the Russians have used similar tactics and techniques across Europe and Eurasia, for example, to influence public opinion there. We believe, based on the scope and sensitivity of these efforts, that only Russia's senior-most officials could have authorized these activities”
  20. 20. DNC Hack • 06/10/2016, Joint Statement from the Department Of Homeland Security and Office of the Director of National Intelligence on Election Security – “The USIC and the Department of Homeland Security (DHS) assess that it would be extremely difficult for someone, including a nation-state actor, to alter actual ballot counts or election results by cyber attack or intrusion. This assessment is based on the decentralized nature of our election system in this country and the number of protections state and local election officials have in place. States ensure that voting machines are not connected to the Internet, and there are numerous checks and balances as well as extensive oversight at multiple levels built into our election process”
  21. 21. DNC Hack • 14/10/2016, Joe Biden, NBC News – “…the U.S. would respond to these attacks at the time of our choosing, and under the circumstances that have the greatest impact.”
  22. 22. Time, 07/11/2016 • Simon Shuster
  23. 23. Time, 07/11/2016 • Idea #1: UCA appears as an independent player • Idea #2: binding UCA activity to foreign intelligence, presumably US one
  24. 24. New York Times, 16/08/2017 • Andrew A. Kramer, Andrew Higgins
  25. 25. New York Times, 16/08/2017 • Idea #1: “Profexer”, the Ukrainian hacker, developed malware (P.A.S. web shell) used in the DNC Hack • Idea #2: binding Ukrainian hackers to Fancy Bear/ Cosy Bear • “The mirror of the hard drive (from CVK – VZ) went to the F.B.I., which had this forensic sample when the cybersecurity company CrowdStrike identified the same malware two years later, on the D.N.C. servers”
  26. 26. The Washington Times, 21/08/2017 • Dan Boylan, DNC hack theories considered extreme and fringe now entering mainstream – Idea: not a hack, but a leak by the insider – Ray McGovern, CIA veteran “There is clear evidence that some of the DNC emails given to WikiLeaks contained superimposed Russian language formatting. Essentially, they were synthetically tainted with Russian fingerprints”
  27. 27. Crowdstrike, 22/12/2016 • “In late June and August 2016, CrowdStrike Intelligence provided initial reporting and technical analysis of a variant of the FANCY BEAR implant X- Agent that targeted the Android mobile platform2. CrowdStrike identified this X- Agent variant within a legitimate Android application named Попр-Д30.apk”
  28. 28. Goal #1: We’re under attack!!!
  29. 29. Goal #2: You’re in danger too!
  30. 30. Goal #3: Invest in Ukraine!
  31. 31. To be continued… • Wired, Andy Greenberg, 06/09/2017

×