Post on 17-Jun-2020
TOP SECRET//COMINT//REL USA, F VE Y
Case Studies of Integrated Cyber Operation Techniques
TOP SECRET//COMINT//REL USA, FVEY
(U//FOUO)
Inbound ThreatsNeutered Interactive Threatsontrolled Outbound ThreatCorrupted
V i c t i m
NIPRNET
Adversary Web Server
NSA Web Server
i » » » • _ _
Exfiltrate Data
Neuter
Corrupt
A d v e r s a r y
TOP SECRET//COMINT//REL USA, FVEY 18
TOP SECRET//COMINT//REL USA, F VE Y
(S//REL) Foreign Intelligence in Support of Dynamic Defe
Foreign Intelligence
• Access to their tools - so that we can
d'tf&H1 other U.S. victims
TOP SECRET//COMINT//REL USA, FVEY
5//REL) Use CNE to penetrate the operations of foreign cyber actors U) Two major classes of CNE techniques • (U) Man-in-the-middle • (U) Man-on-the-side
U//FOUO) Steal their tools, tradecraft, targets and take
Foreign Infrastructure Adversary Home M o t u u f t f l f
TOP SECRET//COMINT//REL USA, FVEY 18
(U) Man-in-the5MiiîfëHe//,tTa5'Multiple
Active Exploitation
Implant ed
Router
(U) Man-in-the5Mii^e//lTa5'Multiple
Active Exploitation Network Defense
Good Guys
CLOUDSHIE
PANDORASMAYH
Implant ed
AnySite .co
Router
S//REL) TUTELAGE is a man-in-the-middle technique
(U//FOUO) Using TUTELAGE to enable active exploitation is integrated cyber operations.
(S//REL) Q U A N T U M T R ? ^ T ^ ™ ^ h ^ i F ^ Y A c t i v e Exploitation ^
© SIGINT cue
O Insert hook in addition to requested d a t a ™
Concerted Use of both Passive + Active SIGINT
• Implant targets based on 'selectors' and/or behavior
- e.g. users of al-Mehrab ISP (Mosul) who visit al-Hezbah extremist website
• Requires target webserver responses be visible to passive SIGINT
• Requires sufficient delay in target web connection for the hook to "beat" the response back to the target (typically means at least one « satellite hop) * -
• Requires target 's client to be vulnerable U
» E
il •Target web connection/ request via SATCOM or Fiber
Cycle ©O must get to the target before © ,(<
occurs • to . . Once 'hooked,' the target is exploited with no t ime constraints Different QUANTUM effects have different t ime
O © Hook calls to Covert Listening Post (LP): _
upload robust implant for sustained access
TOP SECRET//COMINT//REL USA, FVEY 18
TOP SECRET//COMINT//REL USA, F VE Y
(U//FOUO) BOXINGRUMBLE Case Stud
NIPRNET
I C t B
(S//REL) DNS requests entering NIPRnet domain
- (S//REL) Destination IP not a NIPRnet DNS server
- (S//REL) Domain name not within NIPRnet
(S//REL) DNS behavior of host is suspicious but not dangerous (TS//SI//REL) TAO uses QUANTUMDNS to redirect the requesting host
NSA and TAO Covert Infrastructu re
TOP SECRET//COMINT//REL USA, FVEY
TOP SECRET//COMINT//REL USA, F VE Y
(S//REL) QUANTUMDNS: An Integrated Cyber Oper
DNS Serve Where's , ,
Anysite.mi I?
Root DNS
Serve
m
Where's 1 DNS qi i° i-Anysite.mJI
TARGET SPACE
j iVt icnow, 1 l 'Hack. "
Root DNS Server,
~ C o n n e â é f i / è P ' p t o this DN^ Talk to the root Server
DNS Server
1 know how to g e y to Anysi te.mi l
IP is 1.2.3.4
TAO Server mirrors Anysite.mil
query NIPRNET
Anysite.mil?
[ S í TAO Shooter
Blocked If DNS Server Found
NIPRNET
Anysite.mi y e r I g I Server Implant
Comman d &
Control
TOP SECRET//COMINT//REL USA, FVEY
TOP SECRET//COMINT//REL USA, F VE Y
(S//REL) QUANTUMDNS: As Used Against BOXING
IP is 1.2.3.4
TAO C2
m a l mirrors Anysite.mil C2
TAO Shooter
Command Sent
Implan
" I Implant _ Comman J d &
Control
TOP SECRET//COMINT//REL USA, FVEY 18
TOP SECRET//COMINT//REL USA, FVEY
(U//FOUO) BOXINGRUMBLE Case Stud
m m
Open W e b Proxies
Victims (Bots )
m - -
(TS//SI//REL) TAO establishes itself as a trusted C2 node (U//FOUO) Captured traffic indicates the existence of a bot net
- (S//REL) Command and control split into two layers (C2 and C4)
- (S//REL) C2 layer has a peer-to-peer mesh network topology with direct connection to a C4 node
(S//REL) C2 nodes connect directly to victims as well as through open web proxies
NSA and TAO Covert Infrastructu re
TOP SECRET//COMINT//REL TO USA, AUS, CAN, GBR, NZL
TOP SECRET//COMINT//REL USA, F VE Y
(U//FOUO) BOXINGRUMBLE Case Stud
(TS//SI//REL)TAO C2 server can see all bot tasking (TS//SI//REL) TAO C2 server can push tasking (S//REL) BOXINGRUMBLE bots
- (S//REL) - 45% Vietnamese dissidents - (S//REL) -45% Chinese dissidents - (S//REL) -10% Other
(TS//SI//REL) Adding BOXINGRUMBLE bots to DEFIANTWARRIOR
NSA and TAO Covert Infrastructu re
TOP SECRET//COMINT//REL USA, FVEY
(U) There is MmfgETh«ifriO'ffëuWSiy to I
TS//SI//REL
Name Description Inceptio n
Date
Status Operat ional Success
CNE
QUANTUM INSERT • Man-on-the-Side technique • Briefly hi-jacks connections to a terrorist website • Re-directs the target to a TA0 server (F0XACID) for implantation
2005 Operatio nal
Highly Successful (In 2010, 300 TAO implants were deployed via QUANTUMINSERT to targets that were un-exploitable by any other means)
QUANTUMBOT • Takes control of idle IRC bots • Finds computers belonging to botnets, and hijacks the command and control channel
Aug 2007 Operatio nal
Highly Successful (over 140,000 bots co-opted)
QUANTUM BISCUIT • Enhances QUANTUMINSERT's man-on-the-side technique of exploitation • Motivated by the need to Ql targets that are behind large proxies, lack predictable source addresses, and have insufficient unique web activity.
Dec 2007 Operatio nal
Limited success at NSAW due to high latency on passive access (GCHQ uses technique for 80% of CNE accesses)
QUANTUMDNS • DNS injection/redirection based off of A Record queries. • Targets single hosts or caching name servers.
Dec 2008 Operatio nal
Successful (High pr ior i ty CCI target exploi ted)
QUANTUMHAND Exploits the computer of a target who uses Facebook
Oct 2010 Operatio nal
Successful
QUANTUMPHANTO M
Hijacks any IP on QUANTUMable passive coverage to use as covert infrastructure.
Oct 2010 Live Tested
N/A
CNA QUANTUMSKY Denies access to a webpage through RST packet
spoofing. 2004 Operatio
nal Successful
TS//SI//REL
I QUANTUMCOPPER File download/upload disruption and corruption. Dec 2008 Live N/A
TOP SECRET//COMINT//REL US
(U//FOUO) QUANTUMSMA In te rnet
NIPRNET TOP SECRET//COMINT//REL USA, FVEY 18
A, F VE Y
LCKDOW N S A S p a c e
TURBIN
0020h; 0030h: 0040h: OOSik:
0070A: 0080&: orsoi>:
OOCOh: OOMb: KXOfc; MrOü:
ClllOb: a s i a t i OlJOhi i l « t , OJSOh; 3160h: OnOhr
es « OD Oi 75 4r « 70 7 i "»S f?
t9 CT i 73 «s e sr ée t (£ <7 2
so s: t î ta n es
? ?3 i c « er
&r 77 73 1 75 72 51 1 4'-< 19 «3 1 0> OA »5 1
73 74 65 GS 7; 6F 61 oi> m in
78 73 «S
«S 7i 59 i3 « 5P 2E «
«5 6C 3B Ol. OJl «• 2t 41 i l 74
Î4 <S 78 71 î> 35 OJl 75 73 74 <5 SD SI S~> M St (¡4 il 73 3B OD 0(L 7S ?3 Ï9 iE 73 5r j « 74 ZZ 37 SS i t <4 M it 43 Sf St 6« 69 »7 3t OD QA 75 7) fi? SE i t ¡0 «< 74 -T 57 5Ü Äf 33 1? "B
fit iE 14 Of 0* 75 73 <9 •*r 3» at ça •'s iE 52 6! 73 «F
ÎO SÏ •>»
sir.o Systen.ColJ cet ions.Oerer i c i ..131DJ Si'JtBP, c oKDMntS>d( l : . .
4. , i U1B9 S y s t » .Dca i i n j : . .usine S*i-3:«a.Texc:..
aie.0 BÏIUS
v Si i iosuSt-Tim; öäil löBl le. COMIC
i "S ' 1 ' > ' i i l ( 1 Î! 15 1 4 ¿5 ÉP 2
i êt *r 4D : t : 70 S3 t £? 30 SÎ ?j 74 SS Ét> 2t Si i t iC 3B
S 73 J
F3 94 3S 65 23 39 30
31 23 5L 4E 31 23 49 « 52 53 44 53 CS 04 69 98 61 5F 53 72
7F. 63 SC 70 64 62 00 FF FF FF FF
60 eo F0 3F 00 00 00 £0 75 ct> m 3F M 86 2F
bJ
3© ee ee 99 FF FF 47 41 65 61 74 75 4B 45 52 4c. 41 4E 60 03 44 09 60 09 91 62 FE 94 10 00 00 09 53 5C I i 75 s? f s sr h* 9A 4D S3 10 30 B0 00 Bö
i 9 73 50 72 72 65 SO 72
4C 33 S2 31 23 ¿E 31 23 53 •£ 23 AB E5 <2 66 3fi 5C AI 72 6F TZ e i g l 73 65
A client requests connection to malicious server. Request is detected by TURMOIL CLOUDSHIELD terminates client-side connection.
L The malicious server's response is blocked by CLOUDSHIELD.
L TURMOIL tips TURBINE, which then tasks a shooter to send the acknowledgement to the malicious server.
. Malicious server assumes connection and forwards
A, FVEY
TOP SECRET//COMINT//REL USA, F VE Y
(U//FOUO) Future Capability: QUANTUMSANDJV
Take captured ma I w-are and OOZOlfi 65 «J 7+ S9 t r CE fi il «5 «E « H « 18 e c t i o w .
e x e c u t g | | S | r ! ì r ^ ^ l envi ronment.
«• 3 ! Cl 7 1 vsino STOMI». t-sr 6? CE 67 2 0 53 79 7: li « Î St> c; , .\izivf Syï'-çiD « 67 31 OD OA 75 7} 69 61 57 .D r ws n j : . ur ing tb 2t £4 ÌS ?S 74 35 09 DJ. ?S S7St«tp.lest: . . u 19 1) 7H i f if> SE S' S9 f t 54 « Iftg i t Ad •t éD 73 18 OD OA 75 71 69 SE v W . r u i u i . . U l u
* t i n i ô u à H : ^ Allow f $ r f f f & j p ë 8 1 î p t QUANTUM technique with outside world IHHk : 6E i ' 20 53 -"S 73 74 6S 6 1 ^
BJiflft: 7 ì <59 6t (.7 Ì0 SS ' aiiar.: 75 bj i s t j jB 0£> o * ^ Ûl40h! 7Î 05 6: :E £2 75 61 7hJJ OlSOh; 65 lm 6f 7C S3 {5 72 75 J OliOfc: fJ ir il ei :0 S3 7&
3& 03 Oi 75 i,a Srs t ia , SS tS lì if sing « ¡0 53 7S i i r re3 j . .vo inw Sy 2E 4? s i 74 jcca, Ruacite, In: SB DI' Oi 75 « g g S « m m ; , . ' j Spi«" 3B I l i a i ï H f mg, get
I : .:.> TE 0L 56 £F 55 b 65 73 65 BE
e+pss» - . " f l . . . a'T rfrtc« sur Fed tur ePr essi i t . . .KERMEL35.... I t Q h R M . i l i l H f . . . 3 i lK>, . . 18SNHN.. RSPS-
TOP SECRET//COMINT//REL USA, FVEY
TOP SECRET//COMINT//REL USA, FVEY
(U) Future Work
• (U//FOUO) Develop lower latency guards • (S//REL) Use TUTELAGE inline devices as our
"shooter" • (U//FOUO) Push decision logic to the edge
• (U//FOUO) Identify more mission opportunities • (U//FOUO) Continue developing and deploying
additional QUANTUM capabilities
(U) There is MmfgETh«ifriO'ffëuWSiy to I
TS//SI//REL
Name Description Inceptio n
Date
Status Operat ional Success
CNE
QUANTUM INSERT • Man-on-the-Side technique • Briefly hi-jacks connections to a terrorist website • Re-directs the target to a TA0 server (F0XACID) for implantation
2005 Operatio nal
Highly Successful (In 2010, 300 TAO implants were deployed via QUANTUMINSERT to targets that were un-exploitable by any other means)
QUANTUMBOT • Takes control of idle IRC bots • Finds computers belonging to botnets, and hijacks the command and control channel
Aug 2007 Operatio nal
Highly Successful (over 140,000 bots co-opted)
QUANTUM BISCUIT • Enhances QUANTUMINSERT's man-on-the-side technique of exploitation • Motivated by the need to Ql targets that are behind large proxies, lack predictable source addresses, and have insufficient unique web activity.
Dec 2007 Operatio nal
Limited success at NSAW due to high latency on passive access (GCHQ uses technique for 80% of CNE accesses)
QUANTUMDNS • DNS injection/redirection based off of A Record queries. • Targets single hosts or caching name servers.
Dec 2008 Operatio nal
Successful (High pr ior i ty CCI target exploi ted)
QUANTUMHAND Exploits the computer of a target who uses Facebook
Oct 2010 Operatio nal
Successful
QUANTUMPHANTO M
Hijacks any IP on QUANTUMable passive coverage to use as covert infrastructure.
Oct 2010 Live Tested
N/A
CNA QUANTUMSKY Denies access to a webpage through RST packet
spoofing. 2004 Operatio
nal Successful
TS//SI//REL
I QUANTUMCOPPER File download/upload disruption and corruption. Dec 2008 Live N/A
(U) QUESTIONS?
For more information, please contact:
TUTELAGE vs QUANTUM - ^ ^ m S32X TURBINE 1 T1412 BOXINGRUMBLE - | F22
TOP SECRET//COMINT//REL USA, FVEY 18