Red Line Redrawn - Cyber Security Experts & Solution Providers › content › dam › fireeye-www...
Transcript of Red Line Redrawn - Cyber Security Experts & Solution Providers › content › dam › fireeye-www...
OCTOBER 1 – 4, 2018 | WASHINGTON, D.C.
Red Line Redrawn:China APTs ResurfaceCristiana Brafman Kittner (@criskittner )Ben Read (@bread08)
©2018 FireEye
§ Principal Analyst, Cyber Espionage Analysis
§ Sr. Manager, Cyber Espionage Analysis
Ben ReadWho We AreCristiana Brafman Kittner
©2018 FireEye
Key Points
§ Decline in 2014
§ Gap in Activity
§ Return in 2016 - 2018
§ Revealing Changes
§ What this means for you
3
©2018 FireEye
Background
4
Red Line Drawn
§ Released June 2016
§ Intended to measure the impact of Xi-Obama Agreement Sept. 2015
§ Showed that the decline in events was real and pre-dated the agreement
©2018 FireEye
Trends in Chinese APT Operations:China Recalculates its use of Cyber Espionage
§ Since mid-2014, there has been a notable decline in overall intrusion activity, likely a result of:
– Ongoing Chinese military reforms– Widespread exposure of Chinese
cyber operations– Actions taken by USG
©2018 FireEye
Sept. 2015 Obama-Xi Agreement§ Leading up to Agreement, in May 2014, US
Department of Justice issued charges against 5 3PLA individuals for carrying out cyber-espionage against US companies
§ September 2015 Agreement stated “Neither country would engage in cyber economic espionage.”– Agreement covers the theft of IP but not national security
information
§ The cybertheft of IP which preceded the Agreement was described by former National Security Agency Dir. Keith Alexander as "the greatest transfer of wealth in history".
Chinese Cyber Forces Reorganize
©2018 FireEye
Chinese APT Ecosystem
Source: South China Morning Post
§ People’s Liberation Army (PLA)
– Regional commands§ Ministry of State Security (MSS)
– Intelligence Organization§ Contractors
– Various levels of control and affiliation
©2018 FireEye
Chinese Cyber Forces Reorganize§ Attempt to modernize and improve
cohesiveness across regions and services
§ March 2014 – PLA Reform discussed
§ September 2015 – Official announcement at Military Parade in Beijing
– Helps centralize Xi’s control§ December, 2015 - Establishment Ceremony for
creation of PLA Strategic Support Forces (PLASSF)
©2018 FireEye
Establishment of PLA Strategic Support Forces (PLASSF)
§ SSF is charged with overseeing Chinese military space, cyber, and electronic warfare(EW)
§ Composed of former General Staff Department (GSD), General Armament Department (GAD) 3PLA, and 4PLA units
§ Creates:
– Space Systems Department (�(����) 57 to carry out space missions
– Network Systems Department (�����) 58 to carry out the SSF’s cyber and EW missions
§ Reports directly to the CMC headed by President Xi
©2018 FireEye
April 2017 PLA Restructuring
§ In April 2017, further information was officially disclosed by the Ministry of Defense, of an even more drastic reorganization.
– Entire PLA was streamlined
§ New organization reflects Xi’s desire to strengthen PLA joint operations capabilities—on all domains, including cyber
What FireEye has seen
©2018 FireEye
©2018 FireEye
Data
§ Data Sources– Malware compile times from incident responses, device
detections, public repositories
§ Compile time set when a malicious tool is created
– Attacker Activity seen at Incident Responses
– Spear Phishes Detected by FireEye Devices
§ Caveats– Manipulation of compile times
– Gaps in visibility
– Changes in tools
§ Possible errors in individual data points, but the broad trend is clear
©2018 FireEye
©2018 FireEye
©2018 FireEye
©2018 FireEye
Case Studies
©2018 FireEye
©2018 FireEye
APT10 (MenuPass)
APT10 Before After
ToolsPHOTO, POISONIVY,
KABOB, SOGU, COOKBOOK, GH0ST
BUGJUICE, HAYMAKER, SNUGRIDE,
SPOOLSPOUT, DILLJUICE,
QUASARRAT
Target Countries Worldwide Worldwide
Target Industry Broad spectrum Broad spectrum
§ Now leveraging trusted third parties to pivot to networks of interest
§ Reuse of infrastructure across industries in initial compromise
§ New communications infrastructure detected in recent activity
§ Associated to contractors more closely than PLA, thus unique dormant time
©2018 FireEye
©2018 FireEye
APT19 (Codoso)
§ Primarily targets US, and Western based organizations
§ In May and June 2017 reemerged targeting global law and financial firms for intelligence collection operations
§ Recent activity suggests that the group is increasingly integrating commercially available toolsets
– June 2016, APT19 starts leveraging Cobalt Strike BEACON payload
APT19 Before After
Tools STALEMATE, BARMAID, GEMINI, ESKC2, TESTFAC
EMPIRE, COLDSTEEL,
HTRAN, BEACON
Target Countries
US, Brazil, Netherlands, Colombia
US, Netherlands, Hong Kong
Target Industry Broad spectrum
Financial, Transportation,
Legal
©2018 FireEye
©2018 FireEye
TEMP.Periscope
§ Active since at least 2013
§ Initial focus on Western maritime targets, have expanded to include Southeast Asian Govts
§ Maintained access to US defense contractor during pause, but took no actions on network
§ Current Western targeting appears to fall within bounds of “Traditional Espionage”
TEMP.Periscope Before After
ToolsREDMAGE, FRESHAIR,
SOGU, PHOTO, AIRBREAK
AIRBREAK, MURKYTOP,
CHINACHOPER, BADFLICK,
HOMEFRY, PHOTO, JUMPKICK,
LUNCHMONEY
Target Countries US, Great Britain Worldwide
Target Industry
Defense and Academia, with focus
on Maritime
Aerospace & Defense,
Academia, Government,
Maritime, Transportation
©2018 FireEye
©2018 FireEye
Team.338
§ Active since at least 2010
§ Historical targeting and spoofing of high-profile individuals in global political and economic arena
§ Returned after hiatus targeting broad range of sectors in East Asia
– Between September 2017 to January 2018, leveraged spear-phishing messages with human rights and terrorist financing themes to deliver signature BUBBLEWRAP malware
– Used new tool DOWNSIDE and expanded targeting to include energy, extractive, industrial manufacturing, media and technology
Team.338 Before After
Tools
POISONIVY, PROTUX, FAIRBET, BUBBLEWRAP,
SAFERSING, THICKCLOUDMONKEYTILT
BUBBLEWRAP, DOWNSIDE
Target Countries Worldwide
Japan, Macau, Hong Kong, International
Organizations
Target Industry
Aerospace & Defense, Financials, Dissidents and Human Rights
NGOs, Telecommunications
Defense, Government, NGOs
Telecommunications, Media
©2018 FireEye
©2018 FireEye
Group A
§ Chinese cluster that has been active since at least 2009, characterized by use of WARP Malware
– Activity ended in December 2014
– Targeted Academic, Manufacturing, Defense orgs for IP theft
§ Mid-July, 2018, series of spear phishes delivering WARP malware
– The lure documents dropped WARP along with newly discovered DOORJAM malware
– Multiple organizations targeted in 2018, were also targeted between 2011-2013
– Dropper compiled in 2018, WARP backdoor in 2013, calls to a 2018 domain
Group A Before After
ToolsWARP, WEFT,
DOORJAM, SIDEPART, AURIGA, TRUCKBED
WARP, DOORJAM
Target Countries US & Canada US & Canada
Target Industry Broad spectrum Broad spectrum
A
What does this mean?
©2018 FireEye
What has changed?
§ Bureaucracy Driving Activity
– Reorganization caused significant operational impact
§ Changes still being implemented
§ Groups returned in diverse ways
§ Doesn’t explain everything
– Some didn’t pause
– Some didn’t come back
©2018 FireEye
What does it mean§ Is the Xi-Obama agreement holding?
– No widespread commercial IP theft in US
§ Other malicious activity continues
– Geopolitical Targeting– Defense IP– Confidential Business Information
§ IP Transfer continues
– Forced Technology Transfer§ Complex and Evolving US – China relationship
©2018 FireEye
Acknowledgements
§ Fred Plan
§ Scott Henderson
§ Sarah Hawley
§ TORE/AP2
§ Alex Lanstein
§ ”Red Line Drawn” v1 Team
§ Ana Foreman
©2018 FireEye
Questions?