www.thalesgroup.comOPEN

Building an APT Rosetta Stone

Using OSINT to Group APT Names

Ben Doyle Thales CISO – Asia Pacific

2OPEN

This

do

cu

me

nt

ma

y n

ot

be

re

pro

du

ce

d, m

od

ifie

d,

ad

ap

ted

, p

ub

lish

ed

, tr

an

sla

ted

, in

an

y w

ay, in

wh

ole

or

in

pa

rt o

r d

isc

lose

d t

o a

th

ird

pa

rty w

ith

ou

t th

e p

rior

writt

en

co

nse

nt

of

Tha

les

-©

Th

ale

s2

01

5 A

ll rig

hts

re

serv

ed

.

Vulnerability Headlines

3OPEN

This

do

cu

me

nt

ma

y n

ot

be

re

pro

du

ce

d, m

od

ifie

d,

ad

ap

ted

, p

ub

lish

ed

, tr

an

sla

ted

, in

an

y w

ay, in

wh

ole

or

in

pa

rt o

r d

isc

lose

d t

o a

th

ird

pa

rty w

ith

ou

t th

e p

rior

writt

en

co

nse

nt

of

Tha

les

-©

Th

ale

s2

01

5 A

ll rig

hts

re

serv

ed

.

Branded Vulnerabilities

4OPEN

This

do

cu

me

nt

ma

y n

ot

be

re

pro

du

ce

d, m

od

ifie

d,

ad

ap

ted

, p

ub

lish

ed

, tr

an

sla

ted

, in

an

y w

ay, in

wh

ole

or

in

pa

rt o

r d

isc

lose

d t

o a

th

ird

pa

rty w

ith

ou

t th

e p

rior

writt

en

co

nse

nt

of

Tha

les

-©

Th

ale

s2

01

5 A

ll rig

hts

re

serv

ed

.

APT Headlines

5OPEN

This

do

cu

me

nt

ma

y n

ot

be

re

pro

du

ce

d, m

od

ifie

d,

ad

ap

ted

, p

ub

lish

ed

, tr

an

sla

ted

, in

an

y w

ay, in

wh

ole

or

in

pa

rt o

r d

isc

lose

d t

o a

th

ird

pa

rty w

ith

ou

t th

e p

rior

writt

en

co

nse

nt

of

Tha

les

-©

Th

ale

s2

01

5 A

ll rig

hts

re

serv

ed

.

What are we to think?

Image Source: http://www.techweekeurope.co.uk

6OPEN

This

do

cu

me

nt

ma

y n

ot

be

re

pro

du

ce

d, m

od

ifie

d,

ad

ap

ted

, p

ub

lish

ed

, tr

an

sla

ted

, in

an

y w

ay, in

wh

ole

or

in

pa

rt o

r d

isc

lose

d t

o a

th

ird

pa

rty w

ith

ou

t th

e p

rior

writt

en

co

nse

nt

of

Tha

les

-©

Th

ale

s2

01

5 A

ll rig

hts

re

serv

ed

.

We need Context

7OPEN

This

do

cu

me

nt

ma

y n

ot

be

re

pro

du

ce

d, m

od

ifie

d,

ad

ap

ted

, p

ub

lish

ed

, tr

an

sla

ted

, in

an

y w

ay, in

wh

ole

or

in

pa

rt o

r d

isc

lose

d t

o a

th

ird

pa

rty w

ith

ou

t th

e p

rior

writt

en

co

nse

nt

of

Tha

les

-©

Th

ale

s2

01

5 A

ll rig

hts

re

serv

ed

.

APT Naming Schemes

▌ Crowdstrike

Animal Espionage Based on Country (Deep Panda, Fancy Bear, Comment Panda, Cutting

Kitten, Viceroy Tiger)

Cyber Crime based Groups use Spider (Pizzo Spider (DD4BC), Andromeda Spider)

Hactivist based Groups use Jackal (Deadeye Jackal, Gekko Jackal (LizardSquad), Ghost Jackal)

▌ Kaspersky – Random (Dark Hotel, Epic Turla, CosmicDuke, Carbanak)

▌ Mandiant/FireEye – APT# (APT1, APT3, APT8, APT17, APT18, APT28, APT6, APT29, APT30)

▌ Cisco – Group# (Group72)

▌ Microsoft – Period table of Elements (Strontium, Platinum)

▌ Dell – TG-# (TG-2633, TG-0416, TG-3390)

8OPEN

This

do

cu

me

nt

ma

y n

ot

be

re

pro

du

ce

d, m

od

ifie

d,

ad

ap

ted

, p

ub

lish

ed

, tr

an

sla

ted

, in

an

y w

ay, in

wh

ole

or

in

pa

rt o

r d

isc

lose

d t

o a

th

ird

pa

rty w

ith

ou

t th

e p

rior

writt

en

co

nse

nt

of

Tha

les

-©

Th

ale

s2

01

5 A

ll rig

hts

re

serv

ed

.

Mapping Process

▌ Using Paterva Casefile to manually map

attributes together

▌ Start with a decent sized report to allow for

a significant number of APT groups to be

mapped

▌ Each APT Name found:

Place in Paterva Casefile

Link to country of source if possible

Open browser and search for APT Name

Identify new intelligence in search results and

map to Casefile

Search again with new intelligence –

Rinse/Repeat

9OPEN

This

do

cu

me

nt

ma

y n

ot

be

re

pro

du

ce

d, m

od

ifie

d,

ad

ap

ted

, p

ub

lish

ed

, tr

an

sla

ted

, in

an

y w

ay, in

wh

ole

or

in

pa

rt o

r d

isc

lose

d t

o a

th

ird

pa

rty w

ith

ou

t th

e p

rior

writt

en

co

nse

nt

of

Tha

les

-©

Th

ale

s2

01

5 A

ll rig

hts

re

serv

ed

.

CaseFile Mapping

10OPEN

This

do

cu

me

nt

ma

y n

ot

be

re

pro

du

ce

d, m

od

ifie

d,

ad

ap

ted

, p

ub

lish

ed

, tr

an

sla

ted

, in

an

y w

ay, in

wh

ole

or

in

pa

rt o

r d

isc

lose

d t

o a

th

ird

pa

rty w

ith

ou

t th

e p

rior

writt

en

co

nse

nt

of

Tha

les

-©

Th

ale

s2

01

5 A

ll rig

hts

re

serv

ed

.

OSINT Research Outcome

My poor browser drowning under yet to analyse tab’s for the last 6 months

11OPEN

This

do

cu

me

nt

ma

y n

ot

be

re

pro

du

ce

d, m

od

ifie

d,

ad

ap

ted

, p

ub

lish

ed

, tr

an

sla

ted

, in

an

y w

ay, in

wh

ole

or

in

pa

rt o

r d

isc

lose

d t

o a

th

ird

pa

rty w

ith

ou

t th

e p

rior

writt

en

co

nse

nt

of

Tha

les

-©

Th

ale

s2

01

5 A

ll rig

hts

re

serv

ed

.

OSINT Rosetta Stone – So far…..

www.thalesgroup.com

OPEN

THALES GROUP INTERNAL

THALES GROUP CONFIDENTIAL

THALES GROUP SECRET

Findings so far

Note: The attributions to the countries of origins are based on third party published information. These attributions may not indicate support of the nation state unless specific published information by third parties have specified this.

13OPEN

This

do

cu

me

nt

ma

y n

ot

be

re

pro

du

ce

d, m

od

ifie

d,

ad

ap

ted

, p

ub

lish

ed

, tr

an

sla

ted

, in

an

y w

ay, in

wh

ole

or

in

pa

rt o

r d

isc

lose

d t

o a

th

ird

pa

rty w

ith

ou

t th

e p

rior

writt

en

co

nse

nt

of

Tha

les

-©

Th

ale

s2

01

5 A

ll rig

hts

re

serv

ed

.

Chinese Origin

▌ There are some obvious well known

groups by the number of different APT

names they are known by.

▌ The amount of OSINT in this area can

cause problems in itself with mislinked

groups between vendors

14OPEN

This

do

cu

me

nt

ma

y n

ot

be

re

pro

du

ce

d, m

od

ifie

d,

ad

ap

ted

, p

ub

lish

ed

, tr

an

sla

ted

, in

an

y w

ay, in

wh

ole

or

in

pa

rt o

r d

isc

lose

d t

o a

th

ird

pa

rty w

ith

ou

t th

e p

rior

writt

en

co

nse

nt

of

Tha

les

-©

Th

ale

s2

01

5 A

ll rig

hts

re

serv

ed

.

Chinese Origin

▌ Sometimes there

is not enough

OSINT to clearly

split APT Group

names with

overlapping

attributes or

mistaken

reported links

between groups

15OPEN

This

do

cu

me

nt

ma

y n

ot

be

re

pro

du

ce

d, m

od

ifie

d,

ad

ap

ted

, p

ub

lish

ed

, tr

an

sla

ted

, in

an

y w

ay, in

wh

ole

or

in

pa

rt o

r d

isc

lose

d t

o a

th

ird

pa

rty w

ith

ou

t th

e p

rior

writt

en

co

nse

nt

of

Tha

les

-©

Th

ale

s2

01

5 A

ll rig

hts

re

serv

ed

.

Chinese Origin - Winnti

▌ Winnti group was very active in South Korea Gaming scene.

▌ They are known to use stolen code signing certificates in their malware

▌ Interestingly some of the certificates were used in other APT espionage

campaigns.

E.g.

Mgame Corp CodeSigning Certificate

(Part of FireEye:

From Quartermaster

to Sunshop report)

16OPEN

This

do

cu

me

nt

ma

y n

ot

be

re

pro

du

ce

d, m

od

ifie

d,

ad

ap

ted

, p

ub

lish

ed

, tr

an

sla

ted

, in

an

y w

ay, in

wh

ole

or

in

pa

rt o

r d

isc

lose

d t

o a

th

ird

pa

rty w

ith

ou

t th

e p

rior

writt

en

co

nse

nt

of

Tha

les

-©

Th

ale

s2

01

5 A

ll rig

hts

re

serv

ed

.

Chinese Origin - Naikon

▌ Lotus Panda / MsnMM

▌ Focus is SE Asia countries

▌ Potential links to PLA Unit

78020

▌ Project Camerashy was

a large report published

by Kaspersky on Naikon

17OPEN

This

do

cu

me

nt

ma

y n

ot

be

re

pro

du

ce

d, m

od

ifie

d,

ad

ap

ted

, p

ub

lish

ed

, tr

an

sla

ted

, in

an

y w

ay, in

wh

ole

or

in

pa

rt o

r d

isc

lose

d t

o a

th

ird

pa

rty w

ith

ou

t th

e p

rior

writt

en

co

nse

nt

of

Tha

les

-©

Th

ale

s2

01

5 A

ll rig

hts

re

serv

ed

.

Chinese Origin – Rosetta Stone

▌ APT1 (FireEye), Comment Panda (Crowdstrike), Shady Rat (McAfee), Comment Crew

▌ APT3 (FireEye), Gothic Panda (Crowdstrike), UPS

▌ APT8 (FireEye), Violin Panda (Crowdstrike), Nitro (Symantec)

▌ APT12 (FireEye), Numbered Panda (Crowdstrike), IXEHSE (TrendMicro), JOY Rat, DynCalc, DNSCALC

▌ APT17 (FireEye), Aurora Panda (Crowdstrike), DeputyDog, Hidden Lynx???? (Symantec)

▌ APT18 (FireEye), Dynamite Panda (Crowdstrike), TG-0416 (Dell)

▌ Lotus Panda (Crowdstrike), Naikon (Kaspersky), MsnMM

▌ Vixen Panda (Crowdstrike), Ke3change (FireEye), Mirage, Flea (Symantec)

▌ Deep Panda (Crowdstrike), ShellCrew (RSA), Blackvine (Symantec), WebMasters (Kaspersky), KungFu Kittens

(FireEye), SportsFans, Pupa, PinkPantha

▌ Axiom (Novetta), Group 72 (Cisco)

18OPEN

This

do

cu

me

nt

ma

y n

ot

be

re

pro

du

ce

d, m

od

ifie

d,

ad

ap

ted

, p

ub

lish

ed

, tr

an

sla

ted

, in

an

y w

ay, in

wh

ole

or

in

pa

rt o

r d

isc

lose

d t

o a

th

ird

pa

rty w

ith

ou

t th

e p

rior

writt

en

co

nse

nt

of

Tha

les

-©

Th

ale

s2

01

5 A

ll rig

hts

re

serv

ed

.

Russian Origin – APT28 / Fancy Bear

▌ Does not appear to conduct wide spread intellectual property theft.

Mainly targeted information related to government interests

▌ Use Sofacy and

Sednit Malware

▌ Thought to be running

under the military

intelligence unit GRU

▌ Linked to recent US

Democratic National

Committee breach

19OPEN

This

do

cu

me

nt

ma

y n

ot

be

re

pro

du

ce

d, m

od

ifie

d,

ad

ap

ted

, p

ub

lish

ed

, tr

an

sla

ted

, in

an

y w

ay, in

wh

ole

or

in

pa

rt o

r d

isc

lose

d t

o a

th

ird

pa

rty w

ith

ou

t th

e p

rior

writt

en

co

nse

nt

of

Tha

les

-©

Th

ale

s2

01

5 A

ll rig

hts

re

serv

ed

.

Russian Origin – Cozy Bear / APT 29

▌ Cozy Bear / APT29 / CozyDuke / CozyCar / Cozer / EuroAPT / Office Monkeys

▌ Thought to be working for Russia’s Federal Security Service (FSB)

▌ Also linked to

recent Democratic

National Committee

compromise.

▌ Known to “Live off

the land” using

PowerShell and WMI

for persistence.

20OPEN

This

do

cu

me

nt

ma

y n

ot

be

re

pro

du

ce

d, m

od

ifie

d,

ad

ap

ted

, p

ub

lish

ed

, tr

an

sla

ted

, in

an

y w

ay, in

wh

ole

or

in

pa

rt o

r d

isc

lose

d t

o a

th

ird

pa

rty w

ith

ou

t th

e p

rior

writt

en

co

nse

nt

of

Tha

les

-©

Th

ale

s2

01

5 A

ll rig

hts

re

serv

ed

.

Russian Origin – Rosetta Stone

▌ APT28 (FireEye), Fancy Bear (Crowdstrike), TG-4127 (Dell Secureworks), Strontium (Microsoft), Pawnstorm

(TrendMicro), Tsar Team/Group (iSight Partners), Sednit

▌ APT29 (FireEye), Cozy Bear (Crowdstrike), Cozy Duke (F-Secure), CozyCar (Palo Alto?), Cozer, EuroAPT, Office

Monkeys

▌ Energetic Bear (Crowdstrike), Crouching Yeti (Kaspersky) , Koala Team, DragonFly (Symantec), Havex

▌ Venemous Bear (Crowdstrike), Uroburos, Oroborous, Epic Turla (Kaspersky), Snake (BAE)

21OPEN

This

do

cu

me

nt

ma

y n

ot

be

re

pro

du

ce

d, m

od

ifie

d,

ad

ap

ted

, p

ub

lish

ed

, tr

an

sla

ted

, in

an

y w

ay, in

wh

ole

or

in

pa

rt o

r d

isc

lose

d t

o a

th

ird

pa

rty w

ith

ou

t th

e p

rior

writt

en

co

nse

nt

of

Tha

les

-©

Th

ale

s2

01

5 A

ll rig

hts

re

serv

ed

.

What I have found along the way

▌ Re-discovering links from older campaigns

Uroburos/Venemous Bear/Snake were

responsible for the US DoD USB banning

▌ Understanding new links

North Korean Dark Seoul Malware and Iranian

Shamoon Armaco malware (sharing may be

due to technical agreement between the

nations)

▌ Threat intelligence is hard

Near impossible for an individual to do

Value is in understanding past actions, and

motivations, not just IOC’s

22OPEN

This

do

cu

me

nt

ma

y n

ot

be

re

pro

du

ce

d, m

od

ifie

d,

ad

ap

ted

, p

ub

lish

ed

, tr

an

sla

ted

, in

an

y w

ay, in

wh

ole

or

in

pa

rt o

r d

isc

lose

d t

o a

th

ird

pa

rty w

ith

ou

t th

e p

rior

writt

en

co

nse

nt

of

Tha

les

-©

Th

ale

s2

01

5 A

ll rig

hts

re

serv

ed

.

Contact me

▌Ben DoyleCISO Asia Pacific

https://www.linkedin.com/in/bendoylethales

ben.doyle@thalesgroup.com.au