Post on 16-Jul-2015
THE MOTIVES, MEANS AND METHODS
OF CYBER-ADVERSARIES ADVANCED PERSISTENT RISKS TO BUSINESS
Vitaly Kamluk
Principal Security Researcher
Kaspersky Lab
PRESENTATION OVERVIEW
• About us
• What has been driving the cyber-attackers lately?
• Latest intrusion arsenal
• Most recent infiltration techniques
• Growing trends
• Summary
GREAT: ELITE THREAT RESEARCH
• Global Research and Analysis Team, since 2008
• Threat intelligence, research and innovation leadership
• Focus: APTs, critical infrastructure threats, banking threats,
sophisticated targeted attacks
Darkhotel
Miniflame
Gauss
RECENT HIGH PROFILE APT ATTACKS
Flame Stuxnet
Duqu
Kimsuki
Energetic Bear/
Crouching Yeti
Teamspy
Winnti
Icefog
2014 2013 2012 2011 2010
Regin
RedOctober
MiniDuke
NetTraveler Epic Turla
CosmicDuke
The Mask/Careto
Animal Farm
APT: A MITE IN YOUR NETWORK
• Hard to detect
• Almost impossible to get rid of
• And even if you do it comes
back again
MOTIVATION: WHAT ARE THEY LOOKING FOR?
• Your innovations and blueprints
• Business plans and budgets
• Routes to your shareholders and partners
MOTIVATION: WHAT ARE THEY LOOKING FOR?
• Digital certificates
• Your virtual credentials
• Physical access codes
MOTIVATION: WHAT ARE THEY LOOKING FOR?
• Scientific research results
• Government links
• List of secret studies
MOTIVATION: WHAT ARE THEY LOOKING FOR?
• Your business procedures
• Enterprise datasets
• Ways to control your company
MEANS: THE ARSENAL
Digital certificates
• Invalid, fake certificates
• Certificates stolen from vendors
• Certificates by fake businesses
• Forged certificates
MEANS: THE ARSENAL
Malware tools:
• First stage implant
• Modular backdoors
Some capabilities:
• Filesystem control
• Cached password stealing
• Sound recording
• Screen grabbing
• Video casting and keylogging
• Removable media monitoring
• Smartphone infection and data snooping
MEANS: THE ARSENAL
The most advanced capabilities:
• Factoring RSA-1024 keys
• Live modification of OS updates
• OS boot process orchestration
• Jailbreaking mobile OS
• HDD firmware infection
• Mapping air-gapped networks
• Virtual registry-based encrypted filesystem
• GSM BSS hijacking
Copyright by Frontier Developments
METHODS: INFILTRATION TECHNIQUES
How they get to your systems:
• Spear-phishing emails
• Social Networks and Instant Messaging
• Watering holes
• Hospitality networks
• USB drives
• Interdiction
APAC LESSONS
• Massive IP theft by Chinese hackers
• Cybersabotage / wiper attack in South Korea
• Darkhotel hospitality network attacks
• RSA key factoring
• Watering hole and Torrent file infections
• Sony hack
• Cyberattack against nuclear facility in Korea
• DDoS against Github
TRENDS ON THE RISE
• APT techniques are adopted by
cybercriminals
• Business supply chains are
getting attacked
• Cybermercenaries are becoming
a “commodity”
• Nation states are building larger
botnets
• Hospitality networks are being
used to track and compromise
high-profile victims