APT 28 :Cyber Espionage and the Russian Government?
description
Transcript of APT 28 :Cyber Espionage and the Russian Government?
![Page 1: APT 28 :Cyber Espionage and the Russian Government?](https://reader034.fdocuments.net/reader034/viewer/2022052508/559cd6001a28ab9f5f8b45c1/html5/thumbnails/1.jpg)
By : Anupam Tiwari,CEH,CCCSP,PGDIS,GFSU Certified, B.Tech, M.Tech
Combined null/OWASP Delhi Year End Meet
![Page 2: APT 28 :Cyber Espionage and the Russian Government?](https://reader034.fdocuments.net/reader034/viewer/2022052508/559cd6001a28ab9f5f8b45c1/html5/thumbnails/2.jpg)
The ppt is based on a report available at
http://www.fireeye.com/resources/pdfs/apt28.pdf
![Page 3: APT 28 :Cyber Espionage and the Russian Government?](https://reader034.fdocuments.net/reader034/viewer/2022052508/559cd6001a28ab9f5f8b45c1/html5/thumbnails/3.jpg)
![Page 4: APT 28 :Cyber Espionage and the Russian Government?](https://reader034.fdocuments.net/reader034/viewer/2022052508/559cd6001a28ab9f5f8b45c1/html5/thumbnails/4.jpg)
Dr. Web Russia
ESET Slovakia
ESET Slovakia
F-Secure Finland
F-Secure Finland
FRISK Software Iceland
Fortinet United States
G DATA Software Germany
G DATA Software Germany
GFI Software Malta
Ikarus Australia
IObit United States
iolo technologies United States
iS3 United States
K7 Computing India
K7 Computing India
Kaspersky Lab Russia
KingSoft China
McAfee United States
Microsoft United States
NANO Security Russia
Panda Security Spain
PSafe Brazil
Agnitu`m Russia
Agnitum RussiaAhnLab South Koreaavast! Czech Republicavast! Czech Republicavast! Czech RepublicAVG Technologies (Grisoft)
Czech Republic
Avira GermanyAvira GermanyBitdefender RomaniaBitdefender RomaniaBitdefender RomaniaBullGuard United KingdomBullGuard United KingdomCheck Point United StatesCheck Point United StatesClamWin AustraliaComodo Group United StatesComodo Group United StatesCYSEC United KingdomComodo Group United StatesDr. Web Russia
Qihoo 360 China
Quick Heal India
Scandium SecurityCyprus
SophosUnited Kingdom
Cisco (originally Immunet)
United States
StraySpark Computing
United Kingdom
Symantec United States
Symantec (originally PC Tools)
United States
TG Soft Italy
TG Soft Italy
Trend Micro Japan
TrustPortCzech Republic
VirusBlokAda Belarus
Webroot United States
Zemana Turkey
![Page 5: APT 28 :Cyber Espionage and the Russian Government?](https://reader034.fdocuments.net/reader034/viewer/2022052508/559cd6001a28ab9f5f8b45c1/html5/thumbnails/5.jpg)
Moonlight Maze
![Page 6: APT 28 :Cyber Espionage and the Russian Government?](https://reader034.fdocuments.net/reader034/viewer/2022052508/559cd6001a28ab9f5f8b45c1/html5/thumbnails/6.jpg)
![Page 7: APT 28 :Cyber Espionage and the Russian Government?](https://reader034.fdocuments.net/reader034/viewer/2022052508/559cd6001a28ab9f5f8b45c1/html5/thumbnails/7.jpg)
Report gives Window into Russia's Cyber Espionage
APT
RUSSIA is "likely"
sponsoring a hacking
outfit that targets
foreign governments
and Security Agencies
"APT28", a group operating for possibly more than a decade, has attacked governments in Georgia,
Eastern Europe, as well as NATO and the Organization for Security
and Co-operation in Europe
The activity profile vide this paper appears to be the work of a skilled team of developers and operators collecting intelligence that would only be useful to a government
![Page 8: APT 28 :Cyber Espionage and the Russian Government?](https://reader034.fdocuments.net/reader034/viewer/2022052508/559cd6001a28ab9f5f8b45c1/html5/thumbnails/8.jpg)
APT
Targets insider information related to governments, militaries, and security
organizations that would likely benefit the Russian government.
![Page 9: APT 28 :Cyber Espionage and the Russian Government?](https://reader034.fdocuments.net/reader034/viewer/2022052508/559cd6001a28ab9f5f8b45c1/html5/thumbnails/9.jpg)
“APT28's characteristics — their targeting, malware, language and working hours — have led us to conclude
that we are tracking a focused, long-standing espionage effort… sponsored by the Russian government."
APT
![Page 10: APT 28 :Cyber Espionage and the Russian Government?](https://reader034.fdocuments.net/reader034/viewer/2022052508/559cd6001a28ab9f5f8b45c1/html5/thumbnails/10.jpg)
APT
The paper discusses a threat group whose malware is
well-known in the Cyber Security community & unlike the
China-based threat actors, it does not appear to
conduct widespread intellectual property theft for economic gain. Nor observed to steal and profit
from financial account information.
![Page 11: APT 28 :Cyber Espionage and the Russian Government?](https://reader034.fdocuments.net/reader034/viewer/2022052508/559cd6001a28ab9f5f8b45c1/html5/thumbnails/11.jpg)
APT
While there are no pictures of a building, personas to
reveal, or a government agency to name, what is evident
is of long-standing, focused operations that indicate a
government sponsor – specifically, a government
based in Moscow.
This group is
referred to as
APT28
![Page 12: APT 28 :Cyber Espionage and the Russian Government?](https://reader034.fdocuments.net/reader034/viewer/2022052508/559cd6001a28ab9f5f8b45c1/html5/thumbnails/12.jpg)
APT
![Page 13: APT 28 :Cyber Espionage and the Russian Government?](https://reader034.fdocuments.net/reader034/viewer/2022052508/559cd6001a28ab9f5f8b45c1/html5/thumbnails/13.jpg)
GEORGIA
RUSSIA
EASTERN
EUROPE
![Page 14: APT 28 :Cyber Espionage and the Russian Government?](https://reader034.fdocuments.net/reader034/viewer/2022052508/559cd6001a28ab9f5f8b45c1/html5/thumbnails/14.jpg)
APT
The group likely seeks to collect intelligence about Georgia’s security and political dynamics by targeting officials working for the Ministry of Internal Affairs and the Ministry of Defense.
![Page 15: APT 28 :Cyber Espionage and the Russian Government?](https://reader034.fdocuments.net/reader034/viewer/2022052508/559cd6001a28ab9f5f8b45c1/html5/thumbnails/15.jpg)
APT
Demonstrated interest in Eastern European governments and security organizations.
These victims would provide the Russian
government with an ability to predict
policymaker intentions and gauge its ability to
influence public opinion.
![Page 16: APT 28 :Cyber Espionage and the Russian Government?](https://reader034.fdocuments.net/reader034/viewer/2022052508/559cd6001a28ab9f5f8b45c1/html5/thumbnails/16.jpg)
APTAPT28 appeared to target individuals
affiliated with European security organizations and global multilateral
institutions.
The Russian government has long cited European security organizations like NATO and the OSCE as existential threats, particularly during periods of increased tension in Europe.
![Page 17: APT 28 :Cyber Espionage and the Russian Government?](https://reader034.fdocuments.net/reader034/viewer/2022052508/559cd6001a28ab9f5f8b45c1/html5/thumbnails/17.jpg)
APT
Malware compile times suggest that APT28 developers have consistently updated their tools over the last seven years.
Since 2007, APT28 has systematically evolved its
malware, using flexible and lasting platforms indicative of plans for
long-term use.
![Page 18: APT 28 :Cyber Espionage and the Russian Government?](https://reader034.fdocuments.net/reader034/viewer/2022052508/559cd6001a28ab9f5f8b45c1/html5/thumbnails/18.jpg)
APT28’s malware samples contain counter-analysiscapabilities including
runtime checks to identify an analysis environmentand the inclusion of unused machine instructions to slow analysis.
APT28 tailors implants for specific victim environments. They steal data by configuring their implants to send data out of the network using a
victim network’s mail server.
![Page 19: APT 28 :Cyber Espionage and the Russian Government?](https://reader034.fdocuments.net/reader034/viewer/2022052508/559cd6001a28ab9f5f8b45c1/html5/thumbnails/19.jpg)
APT
Over 96% of the malware samples attributed to APT28 were compiled between Monday and Friday.
More than 89% were compiled between 8AM and 6PM in the UTC+4 time zone,
which parallels the working hours in Moscow and St. Petersburg.
These samples had compile dates ranging from mid-2007 to September 2014.
![Page 20: APT 28 :Cyber Espionage and the Russian Government?](https://reader034.fdocuments.net/reader034/viewer/2022052508/559cd6001a28ab9f5f8b45c1/html5/thumbnails/20.jpg)
APT
More than half of the malware samples with
Portable Executable (PE) resources attributed to APT28
included Russian language settings
![Page 21: APT 28 :Cyber Espionage and the Russian Government?](https://reader034.fdocuments.net/reader034/viewer/2022052508/559cd6001a28ab9f5f8b45c1/html5/thumbnails/21.jpg)
APT28 INTEREST IN
THE CAUCASUS, PARTICULARLY GEORGIA
![Page 22: APT 28 :Cyber Espionage and the Russian Government?](https://reader034.fdocuments.net/reader034/viewer/2022052508/559cd6001a28ab9f5f8b45c1/html5/thumbnails/22.jpg)
APT
![Page 23: APT 28 :Cyber Espionage and the Russian Government?](https://reader034.fdocuments.net/reader034/viewer/2022052508/559cd6001a28ab9f5f8b45c1/html5/thumbnails/23.jpg)
APT28 uses spear phishing emails to target its victims, a common tactic in
which the threat group crafts its
emails to mention specific topics (lures) relevant to recipients
![Page 24: APT 28 :Cyber Espionage and the Russian Government?](https://reader034.fdocuments.net/reader034/viewer/2022052508/559cd6001a28ab9f5f8b45c1/html5/thumbnails/24.jpg)
APT
The group made specific attempts to
target the MIA & MoD
![Page 25: APT 28 :Cyber Espionage and the Russian Government?](https://reader034.fdocuments.net/reader034/viewer/2022052508/559cd6001a28ab9f5f8b45c1/html5/thumbnails/25.jpg)
In one case, APT28 lure from mid-2013 was identified that referenced MIA-related topics and employed malware that attempted to disguise its activity as legitimate MIA email traffic.
The lure consisted of a weaponized Excel file that
presented a decoy document containing a list
of Georgian driver’s license numbers. The backdoor
attempted to establish a connection to a Georgian
MIA mail server and communicate via MIA email
addresses ending with “@mia.ge.gov”.
Once connected to the mail server, APT28’s backdoor sent an email message using a subject line related to driver’s licenses (in Georgian), and attached a file containing system reconnaissance information.
This tactic could allow APT28 to obtain data from the MIA’s network .
![Page 26: APT 28 :Cyber Espionage and the Russian Government?](https://reader034.fdocuments.net/reader034/viewer/2022052508/559cd6001a28ab9f5f8b45c1/html5/thumbnails/26.jpg)
This tactic could allow APT28 to obtain
data from the MIA’s network through a less-monitored route, limiting the MIA
network security department’s abilities to
detect the traffic.
APT
![Page 27: APT 28 :Cyber Espionage and the Russian Government?](https://reader034.fdocuments.net/reader034/viewer/2022052508/559cd6001a28ab9f5f8b45c1/html5/thumbnails/27.jpg)
The U.S. contractor was involved in a working group to advise the MOD
and Georgian Armed Forces, assess Georgia’s military
capabilities, and develop a military training program for the country.
APT28 also appeared to target Georgia’s MOD along with a U.S.
defense contractor that was training the Georgian military.
APT28 used a lure document that installed a SOURFACE downloader and contained a listing of birthdays for members of a working group between the Georgian MOD and the U.S. defense contractor.
![Page 28: APT 28 :Cyber Espionage and the Russian Government?](https://reader034.fdocuments.net/reader034/viewer/2022052508/559cd6001a28ab9f5f8b45c1/html5/thumbnails/28.jpg)
![Page 29: APT 28 :Cyber Espionage and the Russian Government?](https://reader034.fdocuments.net/reader034/viewer/2022052508/559cd6001a28ab9f5f8b45c1/html5/thumbnails/29.jpg)
APT28 TARGETING OF
EASTERN EUROPEAN GOVERNMENTS AND
MILITARIES
![Page 30: APT 28 :Cyber Espionage and the Russian Government?](https://reader034.fdocuments.net/reader034/viewer/2022052508/559cd6001a28ab9f5f8b45c1/html5/thumbnails/30.jpg)
APT28 has registered domains similar to those of legitimate
Eastern European (next slide…)These domain registrations not only suggest that APT28 is interested in Eastern European political affairs, but also that the group targets Eastern European governments directly. In addition, APT28 used
one domain for command and control sessions
(baltichost[.]org) that was themed after the Baltic Host exercises.
Baltic Host is a multinational logistics planning exercise, hosted annually since 2009 by one of the three Baltic States (Estonia, Latvia, and Lithuania, all three of which are on Russia’s border) on a rotational basis.
![Page 31: APT 28 :Cyber Espionage and the Russian Government?](https://reader034.fdocuments.net/reader034/viewer/2022052508/559cd6001a28ab9f5f8b45c1/html5/thumbnails/31.jpg)
EXAMPLES OF APT28 DOMAINS IMITATING LEGITIMATE EASTERN EUROPEAN ORGANIZATION NAMES
![Page 32: APT 28 :Cyber Espionage and the Russian Government?](https://reader034.fdocuments.net/reader034/viewer/2022052508/559cd6001a28ab9f5f8b45c1/html5/thumbnails/32.jpg)
![Page 33: APT 28 :Cyber Espionage and the Russian Government?](https://reader034.fdocuments.net/reader034/viewer/2022052508/559cd6001a28ab9f5f8b45c1/html5/thumbnails/33.jpg)
APT28 TARGETING OF
NATO AND OTHEREUROPEAN SECURITY ORGANIZATIONS
![Page 34: APT 28 :Cyber Espionage and the Russian Government?](https://reader034.fdocuments.net/reader034/viewer/2022052508/559cd6001a28ab9f5f8b45c1/html5/thumbnails/34.jpg)
Russia regards NATO as a threat to Russia’s strategic stability.
APT28 also registered a domain name imitating the Organization for Security and Cooperation in Europe (OSCE)
APT28 used a lure that contained an apparent non-public listing of contact information for
defense attachés in the “Ankara Military Attaché Corps (AMAC),” which appears to be
a professional organization of defense attachés in Turkey.
![Page 35: APT 28 :Cyber Espionage and the Russian Government?](https://reader034.fdocuments.net/reader034/viewer/2022052508/559cd6001a28ab9f5f8b45c1/html5/thumbnails/35.jpg)
APT28 MALWARE
COMMONLY USEDTOOLS
![Page 36: APT 28 :Cyber Espionage and the Russian Government?](https://reader034.fdocuments.net/reader034/viewer/2022052508/559cd6001a28ab9f5f8b45c1/html5/thumbnails/36.jpg)
![Page 37: APT 28 :Cyber Espionage and the Russian Government?](https://reader034.fdocuments.net/reader034/viewer/2022052508/559cd6001a28ab9f5f8b45c1/html5/thumbnails/37.jpg)
Typical Deployment Of SOURFACE
![Page 38: APT 28 :Cyber Espionage and the Russian Government?](https://reader034.fdocuments.net/reader034/viewer/2022052508/559cd6001a28ab9f5f8b45c1/html5/thumbnails/38.jpg)
ECOSYSTEM!!!!
![Page 39: APT 28 :Cyber Espionage and the Russian Government?](https://reader034.fdocuments.net/reader034/viewer/2022052508/559cd6001a28ab9f5f8b45c1/html5/thumbnails/39.jpg)
Malware ECOSYSTEM
AAAAACNCSDN,SMDNFSNF,MSNDF,MSNDFSF
![Page 40: APT 28 :Cyber Espionage and the Russian Government?](https://reader034.fdocuments.net/reader034/viewer/2022052508/559cd6001a28ab9f5f8b45c1/html5/thumbnails/40.jpg)
APT28 MALWARE
SUMMARY OF AFFAIRS
![Page 41: APT 28 :Cyber Espionage and the Russian Government?](https://reader034.fdocuments.net/reader034/viewer/2022052508/559cd6001a28ab9f5f8b45c1/html5/thumbnails/41.jpg)
APT
![Page 42: APT 28 :Cyber Espionage and the Russian Government?](https://reader034.fdocuments.net/reader034/viewer/2022052508/559cd6001a28ab9f5f8b45c1/html5/thumbnails/42.jpg)
![Page 43: APT 28 :Cyber Espionage and the Russian Government?](https://reader034.fdocuments.net/reader034/viewer/2022052508/559cd6001a28ab9f5f8b45c1/html5/thumbnails/43.jpg)
![Page 44: APT 28 :Cyber Espionage and the Russian Government?](https://reader034.fdocuments.net/reader034/viewer/2022052508/559cd6001a28ab9f5f8b45c1/html5/thumbnails/44.jpg)
Contact me :
Mail me at [email protected]/[email protected] at http://anupriti.blogspot.in/
http://about.me/anupam.tiwari