SECURITY ANALYSIS OF CYBER ATTACKS IN

UKRAINE

Marina KrotofilLead Security ResearcherHoneywell Industrial Cyber Security Lab

S4x17Miami, Dec 10 2017

Oleksii Yasynskyi Principal Researcher & Head of ISSP Labs

ISSP group

Recap: Dec 2016 Power failure in Ukraine

https://www.youtube.com/watch?v=AUoiKZBqIo0

Electrical transmission-level substation Pivnichna (330kV) suddenly cut off from main power grid

Dec 17th 2016, at 23:53 (11:53 pm)

My Collaboration with Ukraine- How it Began

Feb 24-26, 2016

Invited to Ukraine by ISACA Kyiv Chapter − Delivered 4 talks on ICS & Smart Cities security

Conference on Critical Infrastructure Protection− Government− Enterprises, financial sector, utilities− Researchers

Ongoing collaboration in several areas− Security governance and policies− Education and international collaboration− Research exchange

Alexey Yankovski PresidentISACA Kyiv Chapter

About ISSP ISSP – Information Systems Security Partners

− A group of companies, specialized in cybersecurity, data management solutions, managed security services, professional training and security research

Research Center & ISSP Lab − Specialization on malware analysis and advanced computer forensics. Provides

research facilities for cybersecurity students and scientists, est. 2015

Cyber Academy − Educational institution whose aim is to enhance quality of

cybersecurity and data science in academia, est. 2016

In this talk… We are not sharing the details about the power grid hack yet

− But we focus on steps leading to these kind of consequences, which are well studied and understood

Discovering KillDisk in your network is already too late− The attackers are already having a very reliable distributed foothold

in your network− Cleanup/eradication is almost impossible

It is critical to detect malicious invasion at early stages − The very subtle traces left behind by the attackers− Behavioral patterns

New wave of infection via spear fishing

July 14, 2016

Angry customer complains about email from Diamantbank. He supposedly has a large unpaid debt with the bank which is now threatening him with legal action.

Although the customer understood it was a scam, he OPENED the attachment.

Financial Portal

Don’t send me this scam again!

Anti-spam detection Malicious code is embedded into romantic lyrics to avoid detection by the spam detection algorithms (e.g. ratio of text to code)

Signature-based detection evasion

Nesting doll: code in the code

These pieces of code will eventually assemble into malicious line of code

https://eugenebicyclist.files.wordpress.com/2012/04/nestingdolls.jpg

Macros grows aware of its surroundings

SandBox and ISP detection routines

ISP detection

PowerShell start

Malicious URL

SandBox detection

HTTP request for detecting public IP of target

Obfuscation techniquesMaking code looking like a pure noise

VideoOleksii Yasynskyi

Customization: your computer is special!

And the attacker is interested to get to know it as intimately as possible

They put all their efforts to win system trust and use it maximum to its potential − 500 builds in just two weeks!

Hancitor

Detection challenges: permutations (1)

http://www.learnhowtosolvearubikscube.com/how-to-solve-a-rubiks-cube-solution-overview/

Is it still a Rubik's Cube? Are these parts of

Rubik’s Cube?

Rubik's Cube

http:

//ru

biks

.wik

ia.c

om/w

iki/D

isass

embl

ing_

a_Ru

bik'

s_cu

be

This element in the entire code

extracting main code

Detection challenges: permutations (2)

This is a KillDisk, malware with tiny task with multiple

faces

Fills in blank spaces after few operations

Register which points to the memory location in where to unfol d the virus

It is similar to a process of putting together a puzzle

Blank spaces which will be filled in the next iterations as the virus unfolds itself

Detection challenges: permutations (2)

Detection opportunities Devising signatures for the whole

malware sample is ineffective due to malware mutation

Instead Develop signatures for specific attack

techniques Hash-based function calls

− Approach proposed in ~ 2006− LoadLibraryA & GetProcAddress are

commonly used in malware code

Win32/Spy.Bebloh (banking trojan)Win32/PSW.Fareit (Trojan for stealing passwords)Win32/Rustock (Backdoor)Win32/TrojanDownloader.Carberp (Dropper of banking trojan Carberp)Win32/Kelihos (Spam sender)

Meanwhile, back at the ranch…SPEAR PHISHING ATTACK HITS INDUSTRIAL COMPANIES

~500 organizations from 50 countries (active campaign)− Vendors of industrial automation & field equipment− Integrators and support contractors

Very determined attacker − Appears to target smaller companies first so that it can send legitimate looking

emails to larger companies Old tools carefully packed into new container

− Earlier unseen crypter for delivery of initial payload− An array of tools for almost everything (remote administration, recon, data and

file collection, etc.)

Take aways (1) You will get hacked guests on your network

− E-commerce sector is already moving away from “end user host is taken” attacker model to “end user application is taken”

− Detection/defenses at the level of work-flows and business processes

thetoptenz.net/animal-camouflage/

https://bybio.wordpress.com/tag/batesian-mimicry/

YOU AGAIN?

Camouflage and mimicry− The adversary will blend into your infrastructure

as quickly as possible− Business process owners must be included for

defining known “good” and “not good”

Uncovering disguiseNumber of sessions under legitimate service account

Take aways (2)

http:

//hd

cdns

un2.

r.wor

ldss

l.net

/site

s/w

ww

.hyp

nosis

dow

nloa

ds.c

om/fi

les/

brok

en-h

eart

-imag

e.jp

g

Disjointed infrastructure monitoring approach is dead− Bird eye look: real-time holistic monitoring across

multiple security and performance tools/applications − And use their synergies

The most important take away In 1st investigation reconstructing

timeline took 4 months− No tools (had to be developed)− No previous similar experience

Reconstructing timeline now takes 2 weeks− With even greater detail− You spare time and gain

knowledge to work on defenses

http://cdn.quotesgram.com/img/99/0/1555958381-lemons.jpg

Acknowledgement Honeywell team for incredible work environment and support Roman Sologub, General Manager, ISSP Aleksey Baranovsky, Head of Cyber Academy, ISSP Vladimir Dashchenko, Kaspersky Lab & ICS-CERT

And dear hackers for securing our jobs ;-)

Thank you

Marina Krotofilmarina.krotofil@honeywell.com@marmusha

Oleksii Yasynskyi oyasynskyi@isspgroup.com@Aleksey_yashttps://socprime.com/en/blog/