THE UNBEARABLE LIGHTNESS · APT HISTORY 2015 2014 2013 2012 2011 2010 12 Aurora 13 Stuxnet Duqu RSA...
Transcript of THE UNBEARABLE LIGHTNESS · APT HISTORY 2015 2014 2013 2012 2011 2010 12 Aurora 13 Stuxnet Duqu RSA...
![Page 1: THE UNBEARABLE LIGHTNESS · APT HISTORY 2015 2014 2013 2012 2011 2010 12 Aurora 13 Stuxnet Duqu RSA Hack 79 Carbanak Equation Duqu2 Casper Babar PlugX 24 Madi Flame Gauss Subpab Shamoon](https://reader033.fdocuments.in/reader033/viewer/2022042418/5f34c5485dbb7678a810ffa4/html5/thumbnails/1.jpg)
THE
UNBEARABLE LIGHTNESS OF
APTing
![Page 2: THE UNBEARABLE LIGHTNESS · APT HISTORY 2015 2014 2013 2012 2011 2010 12 Aurora 13 Stuxnet Duqu RSA Hack 79 Carbanak Equation Duqu2 Casper Babar PlugX 24 Madi Flame Gauss Subpab Shamoon](https://reader033.fdocuments.in/reader033/viewer/2022042418/5f34c5485dbb7678a810ffa4/html5/thumbnails/2.jpg)
WHO ARE WE?
Ron DavidsonCheck Point Software TechnologiesHead of Threat Intelligence and Research
Yaniv BalmasSecurity ResearcherCheck Point Software Technologies
![Page 3: THE UNBEARABLE LIGHTNESS · APT HISTORY 2015 2014 2013 2012 2011 2010 12 Aurora 13 Stuxnet Duqu RSA Hack 79 Carbanak Equation Duqu2 Casper Babar PlugX 24 Madi Flame Gauss Subpab Shamoon](https://reader033.fdocuments.in/reader033/viewer/2022042418/5f34c5485dbb7678a810ffa4/html5/thumbnails/3.jpg)
Advanced
APT
Persistent
Threat
![Page 4: THE UNBEARABLE LIGHTNESS · APT HISTORY 2015 2014 2013 2012 2011 2010 12 Aurora 13 Stuxnet Duqu RSA Hack 79 Carbanak Equation Duqu2 Casper Babar PlugX 24 Madi Flame Gauss Subpab Shamoon](https://reader033.fdocuments.in/reader033/viewer/2022042418/5f34c5485dbb7678a810ffa4/html5/thumbnails/4.jpg)
APT
Advanced“An APT is a network attack
in which an unauthorized person gains access to a network and stays there
undetected for a long period of time.“
Threat
![Page 5: THE UNBEARABLE LIGHTNESS · APT HISTORY 2015 2014 2013 2012 2011 2010 12 Aurora 13 Stuxnet Duqu RSA Hack 79 Carbanak Equation Duqu2 Casper Babar PlugX 24 Madi Flame Gauss Subpab Shamoon](https://reader033.fdocuments.in/reader033/viewer/2022042418/5f34c5485dbb7678a810ffa4/html5/thumbnails/5.jpg)
APT
Advanced
“APT is a set of stealthy and continuous computer hacking processes … APT
usually targets organizations and/or nations for business or political
motives.”
“An APT is a network attack in which an unauthorized person gains access to a network and stays there
undetected for a long period of time.“
![Page 6: THE UNBEARABLE LIGHTNESS · APT HISTORY 2015 2014 2013 2012 2011 2010 12 Aurora 13 Stuxnet Duqu RSA Hack 79 Carbanak Equation Duqu2 Casper Babar PlugX 24 Madi Flame Gauss Subpab Shamoon](https://reader033.fdocuments.in/reader033/viewer/2022042418/5f34c5485dbb7678a810ffa4/html5/thumbnails/6.jpg)
APT
“APT is a set of stealthy and continuous computer hacking processes … APT
usually targets organizations and/or nations for business or political
motives.”
“An APT is a network attack in which an unauthorized person gains access to a network and stays there
undetected for a long period of time.“
?
![Page 7: THE UNBEARABLE LIGHTNESS · APT HISTORY 2015 2014 2013 2012 2011 2010 12 Aurora 13 Stuxnet Duqu RSA Hack 79 Carbanak Equation Duqu2 Casper Babar PlugX 24 Madi Flame Gauss Subpab Shamoon](https://reader033.fdocuments.in/reader033/viewer/2022042418/5f34c5485dbb7678a810ffa4/html5/thumbnails/7.jpg)
APT HISTORY
2015
201420132012
20112010
12
Aurora
13 StuxnetDuqu
RSA Hack
79
CarbanakEquation
Duqu2Casper
BabarPlugX
24
Madi Flame
GaussSubpabShamoon
54WiperRed October
APT1
Machete
CosmicDuke Dragonfly
Regin HavexEnergetic Bear
107
github.com/kbandla/APTnotes
![Page 8: THE UNBEARABLE LIGHTNESS · APT HISTORY 2015 2014 2013 2012 2011 2010 12 Aurora 13 Stuxnet Duqu RSA Hack 79 Carbanak Equation Duqu2 Casper Babar PlugX 24 Madi Flame Gauss Subpab Shamoon](https://reader033.fdocuments.in/reader033/viewer/2022042418/5f34c5485dbb7678a810ffa4/html5/thumbnails/8.jpg)
WHAT’S COMMON?
@AttributionDice
Attribution
![Page 9: THE UNBEARABLE LIGHTNESS · APT HISTORY 2015 2014 2013 2012 2011 2010 12 Aurora 13 Stuxnet Duqu RSA Hack 79 Carbanak Equation Duqu2 Casper Babar PlugX 24 Madi Flame Gauss Subpab Shamoon](https://reader033.fdocuments.in/reader033/viewer/2022042418/5f34c5485dbb7678a810ffa4/html5/thumbnails/9.jpg)
WHAT’S IN COMMON?
@AttributionDice
China 44%
USA 9%
Russia 23%
Israel 5%
Iran 9%
France 11%
![Page 10: THE UNBEARABLE LIGHTNESS · APT HISTORY 2015 2014 2013 2012 2011 2010 12 Aurora 13 Stuxnet Duqu RSA Hack 79 Carbanak Equation Duqu2 Casper Babar PlugX 24 Madi Flame Gauss Subpab Shamoon](https://reader033.fdocuments.in/reader033/viewer/2022042418/5f34c5485dbb7678a810ffa4/html5/thumbnails/10.jpg)
WHEN IN DOUBT…
It’s probably China!
![Page 11: THE UNBEARABLE LIGHTNESS · APT HISTORY 2015 2014 2013 2012 2011 2010 12 Aurora 13 Stuxnet Duqu RSA Hack 79 Carbanak Equation Duqu2 Casper Babar PlugX 24 Madi Flame Gauss Subpab Shamoon](https://reader033.fdocuments.in/reader033/viewer/2022042418/5f34c5485dbb7678a810ffa4/html5/thumbnails/11.jpg)
WITH GREAT POWER COME GREAT APTS
![Page 12: THE UNBEARABLE LIGHTNESS · APT HISTORY 2015 2014 2013 2012 2011 2010 12 Aurora 13 Stuxnet Duqu RSA Hack 79 Carbanak Equation Duqu2 Casper Babar PlugX 24 Madi Flame Gauss Subpab Shamoon](https://reader033.fdocuments.in/reader033/viewer/2022042418/5f34c5485dbb7678a810ffa4/html5/thumbnails/12.jpg)
VOLATILE CEDAR
• A targeted campaign
• Has been active since late 2012
• Operation was terminated following our publication at March 2015
![Page 13: THE UNBEARABLE LIGHTNESS · APT HISTORY 2015 2014 2013 2012 2011 2010 12 Aurora 13 Stuxnet Duqu RSA Hack 79 Carbanak Equation Duqu2 Casper Babar PlugX 24 Madi Flame Gauss Subpab Shamoon](https://reader033.fdocuments.in/reader033/viewer/2022042418/5f34c5485dbb7678a810ffa4/html5/thumbnails/13.jpg)
WHY VOLATILE CEDAR?
Explosive-443
![Page 14: THE UNBEARABLE LIGHTNESS · APT HISTORY 2015 2014 2013 2012 2011 2010 12 Aurora 13 Stuxnet Duqu RSA Hack 79 Carbanak Equation Duqu2 Casper Babar PlugX 24 Madi Flame Gauss Subpab Shamoon](https://reader033.fdocuments.in/reader033/viewer/2022042418/5f34c5485dbb7678a810ffa4/html5/thumbnails/14.jpg)
![Page 15: THE UNBEARABLE LIGHTNESS · APT HISTORY 2015 2014 2013 2012 2011 2010 12 Aurora 13 Stuxnet Duqu RSA Hack 79 Carbanak Equation Duqu2 Casper Babar PlugX 24 Madi Flame Gauss Subpab Shamoon](https://reader033.fdocuments.in/reader033/viewer/2022042418/5f34c5485dbb7678a810ffa4/html5/thumbnails/15.jpg)
HEZBOLLAH
![Page 16: THE UNBEARABLE LIGHTNESS · APT HISTORY 2015 2014 2013 2012 2011 2010 12 Aurora 13 Stuxnet Duqu RSA Hack 79 Carbanak Equation Duqu2 Casper Babar PlugX 24 Madi Flame Gauss Subpab Shamoon](https://reader033.fdocuments.in/reader033/viewer/2022042418/5f34c5485dbb7678a810ffa4/html5/thumbnails/16.jpg)
HEZBOLLAH
• “Party of God”
• Islamist political and militant group
• Part of the Lebanese government
• Funded by Iran
• Official flag contains an AK-47
![Page 17: THE UNBEARABLE LIGHTNESS · APT HISTORY 2015 2014 2013 2012 2011 2010 12 Aurora 13 Stuxnet Duqu RSA Hack 79 Carbanak Equation Duqu2 Casper Babar PlugX 24 Madi Flame Gauss Subpab Shamoon](https://reader033.fdocuments.in/reader033/viewer/2022042418/5f34c5485dbb7678a810ffa4/html5/thumbnails/17.jpg)
HEZBOLLAH
• “Party of God”
• Islamist political and militant group
• Part of the Lebanese government
• Funded by Iran
• Official flag contains an AK-47
?!
![Page 18: THE UNBEARABLE LIGHTNESS · APT HISTORY 2015 2014 2013 2012 2011 2010 12 Aurora 13 Stuxnet Duqu RSA Hack 79 Carbanak Equation Duqu2 Casper Babar PlugX 24 Madi Flame Gauss Subpab Shamoon](https://reader033.fdocuments.in/reader033/viewer/2022042418/5f34c5485dbb7678a810ffa4/html5/thumbnails/18.jpg)
PERSISTENT
Nov 12 Mar 13 July 13 Nov 13 Mar 14 July 14 Nov 14
Version 1Version 2KS VersionMicro VersionVersion 3
![Page 19: THE UNBEARABLE LIGHTNESS · APT HISTORY 2015 2014 2013 2012 2011 2010 12 Aurora 13 Stuxnet Duqu RSA Hack 79 Carbanak Equation Duqu2 Casper Babar PlugX 24 Madi Flame Gauss Subpab Shamoon](https://reader033.fdocuments.in/reader033/viewer/2022042418/5f34c5485dbb7678a810ffa4/html5/thumbnails/19.jpg)
THREAT
• Targets were carefully chosen.
Other
Education
Civil ServicesandGov
Hosting
![Page 20: THE UNBEARABLE LIGHTNESS · APT HISTORY 2015 2014 2013 2012 2011 2010 12 Aurora 13 Stuxnet Duqu RSA Hack 79 Carbanak Equation Duqu2 Casper Babar PlugX 24 Madi Flame Gauss Subpab Shamoon](https://reader033.fdocuments.in/reader033/viewer/2022042418/5f34c5485dbb7678a810ffa4/html5/thumbnails/20.jpg)
• Targets were carefully chosen.
THREAT
• Very specific geopolitical sector
![Page 21: THE UNBEARABLE LIGHTNESS · APT HISTORY 2015 2014 2013 2012 2011 2010 12 Aurora 13 Stuxnet Duqu RSA Hack 79 Carbanak Equation Duqu2 Casper Babar PlugX 24 Madi Flame Gauss Subpab Shamoon](https://reader033.fdocuments.in/reader033/viewer/2022042418/5f34c5485dbb7678a810ffa4/html5/thumbnails/21.jpg)
• Targets were carefully chosen.
THREAT
• Very specific geopolitical sector
• Malicious activity was mostly key-logging and clip-board logging.
![Page 22: THE UNBEARABLE LIGHTNESS · APT HISTORY 2015 2014 2013 2012 2011 2010 12 Aurora 13 Stuxnet Duqu RSA Hack 79 Carbanak Equation Duqu2 Casper Babar PlugX 24 Madi Flame Gauss Subpab Shamoon](https://reader033.fdocuments.in/reader033/viewer/2022042418/5f34c5485dbb7678a810ffa4/html5/thumbnails/22.jpg)
ADVANCED?!
![Page 23: THE UNBEARABLE LIGHTNESS · APT HISTORY 2015 2014 2013 2012 2011 2010 12 Aurora 13 Stuxnet Duqu RSA Hack 79 Carbanak Equation Duqu2 Casper Babar PlugX 24 Madi Flame Gauss Subpab Shamoon](https://reader033.fdocuments.in/reader033/viewer/2022042418/5f34c5485dbb7678a810ffa4/html5/thumbnails/23.jpg)
ADVANCED?!
Keith B. Hassan
VS
![Page 24: THE UNBEARABLE LIGHTNESS · APT HISTORY 2015 2014 2013 2012 2011 2010 12 Aurora 13 Stuxnet Duqu RSA Hack 79 Carbanak Equation Duqu2 Casper Babar PlugX 24 Madi Flame Gauss Subpab Shamoon](https://reader033.fdocuments.in/reader033/viewer/2022042418/5f34c5485dbb7678a810ffa4/html5/thumbnails/24.jpg)
Round 1ATTACK VECTOR
![Page 25: THE UNBEARABLE LIGHTNESS · APT HISTORY 2015 2014 2013 2012 2011 2010 12 Aurora 13 Stuxnet Duqu RSA Hack 79 Carbanak Equation Duqu2 Casper Babar PlugX 24 Madi Flame Gauss Subpab Shamoon](https://reader033.fdocuments.in/reader033/viewer/2022042418/5f34c5485dbb7678a810ffa4/html5/thumbnails/25.jpg)
STUXNET
• Deliver USB drives into a super secured site
• USB Contains 4 0-days
• CPLink vulnerability
• Lateral movement via peer to peer RPC
Attack Vector
![Page 26: THE UNBEARABLE LIGHTNESS · APT HISTORY 2015 2014 2013 2012 2011 2010 12 Aurora 13 Stuxnet Duqu RSA Hack 79 Carbanak Equation Duqu2 Casper Babar PlugX 24 Madi Flame Gauss Subpab Shamoon](https://reader033.fdocuments.in/reader033/viewer/2022042418/5f34c5485dbb7678a810ffa4/html5/thumbnails/26.jpg)
VOLATILE CEDAR
• The target itself might be a hard nut to crack.
• Look in its proximity…
• Exploit default un-patched IIS installations.
• Insert a web-shell and a key-logger into compromised servers.
• Use key-logging data for lateral movement.
Attack Vector
![Page 27: THE UNBEARABLE LIGHTNESS · APT HISTORY 2015 2014 2013 2012 2011 2010 12 Aurora 13 Stuxnet Duqu RSA Hack 79 Carbanak Equation Duqu2 Casper Babar PlugX 24 Madi Flame Gauss Subpab Shamoon](https://reader033.fdocuments.in/reader033/viewer/2022042418/5f34c5485dbb7678a810ffa4/html5/thumbnails/27.jpg)
Round 2PERSISTENCE
![Page 28: THE UNBEARABLE LIGHTNESS · APT HISTORY 2015 2014 2013 2012 2011 2010 12 Aurora 13 Stuxnet Duqu RSA Hack 79 Carbanak Equation Duqu2 Casper Babar PlugX 24 Madi Flame Gauss Subpab Shamoon](https://reader033.fdocuments.in/reader033/viewer/2022042418/5f34c5485dbb7678a810ffa4/html5/thumbnails/28.jpg)
EQUATION
• Insert implant code into hard-drive firmware
• Support 12 different HDD vendors/variations
• Possibly infect boot sector
Persistence
![Page 29: THE UNBEARABLE LIGHTNESS · APT HISTORY 2015 2014 2013 2012 2011 2010 12 Aurora 13 Stuxnet Duqu RSA Hack 79 Carbanak Equation Duqu2 Casper Babar PlugX 24 Madi Flame Gauss Subpab Shamoon](https://reader033.fdocuments.in/reader033/viewer/2022042418/5f34c5485dbb7678a810ffa4/html5/thumbnails/29.jpg)
VOLATILE CEDAR
• Install as a new service
• What if service gets removed\stopped?
• Use web-shell to restart\reinstall it
Persistence
![Page 30: THE UNBEARABLE LIGHTNESS · APT HISTORY 2015 2014 2013 2012 2011 2010 12 Aurora 13 Stuxnet Duqu RSA Hack 79 Carbanak Equation Duqu2 Casper Babar PlugX 24 Madi Flame Gauss Subpab Shamoon](https://reader033.fdocuments.in/reader033/viewer/2022042418/5f34c5485dbb7678a810ffa4/html5/thumbnails/30.jpg)
Round 3COMMAND AND CONTROL
![Page 31: THE UNBEARABLE LIGHTNESS · APT HISTORY 2015 2014 2013 2012 2011 2010 12 Aurora 13 Stuxnet Duqu RSA Hack 79 Carbanak Equation Duqu2 Casper Babar PlugX 24 Madi Flame Gauss Subpab Shamoon](https://reader033.fdocuments.in/reader033/viewer/2022042418/5f34c5485dbb7678a810ffa4/html5/thumbnails/31.jpg)
PLUGX
• Victim-side C&C servers are legit hosts
• A custom DNS resolver is used by the malware
• This DNS is hijacked and redirects to the C&C server
Command & Control
![Page 32: THE UNBEARABLE LIGHTNESS · APT HISTORY 2015 2014 2013 2012 2011 2010 12 Aurora 13 Stuxnet Duqu RSA Hack 79 Carbanak Equation Duqu2 Casper Babar PlugX 24 Madi Flame Gauss Subpab Shamoon](https://reader033.fdocuments.in/reader033/viewer/2022042418/5f34c5485dbb7678a810ffa4/html5/thumbnails/32.jpg)
VOLATILE CEDARCommand & Control
![Page 33: THE UNBEARABLE LIGHTNESS · APT HISTORY 2015 2014 2013 2012 2011 2010 12 Aurora 13 Stuxnet Duqu RSA Hack 79 Carbanak Equation Duqu2 Casper Babar PlugX 24 Madi Flame Gauss Subpab Shamoon](https://reader033.fdocuments.in/reader033/viewer/2022042418/5f34c5485dbb7678a810ffa4/html5/thumbnails/33.jpg)
VOLATILE CEDAR
• “Advanced” DGA Algorithm
Command & Control
![Page 34: THE UNBEARABLE LIGHTNESS · APT HISTORY 2015 2014 2013 2012 2011 2010 12 Aurora 13 Stuxnet Duqu RSA Hack 79 Carbanak Equation Duqu2 Casper Babar PlugX 24 Madi Flame Gauss Subpab Shamoon](https://reader033.fdocuments.in/reader033/viewer/2022042418/5f34c5485dbb7678a810ffa4/html5/thumbnails/34.jpg)
VOLATILE CEDAR
• “Advanced” DGA Algorithmredotnetexplorererdotnetexploreredrotnetexploreredortnetexploreredotrnetexploreredotnretexplorer
Command & Control
…
![Page 35: THE UNBEARABLE LIGHTNESS · APT HISTORY 2015 2014 2013 2012 2011 2010 12 Aurora 13 Stuxnet Duqu RSA Hack 79 Carbanak Equation Duqu2 Casper Babar PlugX 24 Madi Flame Gauss Subpab Shamoon](https://reader033.fdocuments.in/reader033/viewer/2022042418/5f34c5485dbb7678a810ffa4/html5/thumbnails/35.jpg)
VOLATILE CEDAR
• “Advanced” DGA Algorithm
• Use hijacked sites \ cheap VPS as infrastructure
Command & Control
~500$~753250 LBP
![Page 36: THE UNBEARABLE LIGHTNESS · APT HISTORY 2015 2014 2013 2012 2011 2010 12 Aurora 13 Stuxnet Duqu RSA Hack 79 Carbanak Equation Duqu2 Casper Babar PlugX 24 Madi Flame Gauss Subpab Shamoon](https://reader033.fdocuments.in/reader033/viewer/2022042418/5f34c5485dbb7678a810ffa4/html5/thumbnails/36.jpg)
Round 4STEALTH
![Page 37: THE UNBEARABLE LIGHTNESS · APT HISTORY 2015 2014 2013 2012 2011 2010 12 Aurora 13 Stuxnet Duqu RSA Hack 79 Carbanak Equation Duqu2 Casper Babar PlugX 24 Madi Flame Gauss Subpab Shamoon](https://reader033.fdocuments.in/reader033/viewer/2022042418/5f34c5485dbb7678a810ffa4/html5/thumbnails/37.jpg)
REGIN
• Six stage architecture.
• Use both user-land code and kernel modules.
• Store stages in a custom Virtual File System.
Stealth
![Page 38: THE UNBEARABLE LIGHTNESS · APT HISTORY 2015 2014 2013 2012 2011 2010 12 Aurora 13 Stuxnet Duqu RSA Hack 79 Carbanak Equation Duqu2 Casper Babar PlugX 24 Madi Flame Gauss Subpab Shamoon](https://reader033.fdocuments.in/reader033/viewer/2022042418/5f34c5485dbb7678a810ffa4/html5/thumbnails/38.jpg)
REGIN
• Six stage architecture
• Use both user land code and kernel modules.
• Store stages in a custom Virtual File System.
Stealth
symantec.com
![Page 39: THE UNBEARABLE LIGHTNESS · APT HISTORY 2015 2014 2013 2012 2011 2010 12 Aurora 13 Stuxnet Duqu RSA Hack 79 Carbanak Equation Duqu2 Casper Babar PlugX 24 Madi Flame Gauss Subpab Shamoon](https://reader033.fdocuments.in/reader033/viewer/2022042418/5f34c5485dbb7678a810ffa4/html5/thumbnails/39.jpg)
VOLATILE CEDAR
• Create a dedicated thread to monitor process CPU activity.
• Once CPU usage is greater than the threshold
• Restart the process ;)
Stealth
![Page 40: THE UNBEARABLE LIGHTNESS · APT HISTORY 2015 2014 2013 2012 2011 2010 12 Aurora 13 Stuxnet Duqu RSA Hack 79 Carbanak Equation Duqu2 Casper Babar PlugX 24 Madi Flame Gauss Subpab Shamoon](https://reader033.fdocuments.in/reader033/viewer/2022042418/5f34c5485dbb7678a810ffa4/html5/thumbnails/40.jpg)
Round 5ENCRYPTION
![Page 41: THE UNBEARABLE LIGHTNESS · APT HISTORY 2015 2014 2013 2012 2011 2010 12 Aurora 13 Stuxnet Duqu RSA Hack 79 Carbanak Equation Duqu2 Casper Babar PlugX 24 Madi Flame Gauss Subpab Shamoon](https://reader033.fdocuments.in/reader033/viewer/2022042418/5f34c5485dbb7678a810ffa4/html5/thumbnails/41.jpg)
EQUATION
• Usage of AES, RC5 and RC6
• A unique RC6 implementation designed for better performance.
Encryption
![Page 42: THE UNBEARABLE LIGHTNESS · APT HISTORY 2015 2014 2013 2012 2011 2010 12 Aurora 13 Stuxnet Duqu RSA Hack 79 Carbanak Equation Duqu2 Casper Babar PlugX 24 Madi Flame Gauss Subpab Shamoon](https://reader033.fdocuments.in/reader033/viewer/2022042418/5f34c5485dbb7678a810ffa4/html5/thumbnails/42.jpg)
VOLATILE CEDAR
• Reversed Strings.
google.com moc.elgoog
Encryption
![Page 43: THE UNBEARABLE LIGHTNESS · APT HISTORY 2015 2014 2013 2012 2011 2010 12 Aurora 13 Stuxnet Duqu RSA Hack 79 Carbanak Equation Duqu2 Casper Babar PlugX 24 Madi Flame Gauss Subpab Shamoon](https://reader033.fdocuments.in/reader033/viewer/2022042418/5f34c5485dbb7678a810ffa4/html5/thumbnails/43.jpg)
VOLATILE CEDAR
• Reversed Strings.
google.com moc.elgoog
• Oh, wait… That might be too easy to spot• Use Base-64!
bW9jLmVsZ29vZw==
Encryption
![Page 44: THE UNBEARABLE LIGHTNESS · APT HISTORY 2015 2014 2013 2012 2011 2010 12 Aurora 13 Stuxnet Duqu RSA Hack 79 Carbanak Equation Duqu2 Casper Babar PlugX 24 Madi Flame Gauss Subpab Shamoon](https://reader033.fdocuments.in/reader033/viewer/2022042418/5f34c5485dbb7678a810ffa4/html5/thumbnails/44.jpg)
VOLATILE CEDAR
• Reversed Strings.
google.com moc.elgoog
• Oh, wait… That might be too easy to spot• Use Base-64!
bW9jLmVsZ29vZw==
• Oh no, now it looks like Base-64.
Encryption
![Page 45: THE UNBEARABLE LIGHTNESS · APT HISTORY 2015 2014 2013 2012 2011 2010 12 Aurora 13 Stuxnet Duqu RSA Hack 79 Carbanak Equation Duqu2 Casper Babar PlugX 24 Madi Flame Gauss Subpab Shamoon](https://reader033.fdocuments.in/reader033/viewer/2022042418/5f34c5485dbb7678a810ffa4/html5/thumbnails/45.jpg)
VOLATILE CEDAR
• Reversed Strings.
google.com moc.elgoog
• Oh, wait… That might be too easy to spot• Use Base-64!
bW9jLmVsZ29vZw==
• Oh no, now it looks like Base-64.
==wZv92ZsVmLj9Wb
Encryption
![Page 46: THE UNBEARABLE LIGHTNESS · APT HISTORY 2015 2014 2013 2012 2011 2010 12 Aurora 13 Stuxnet Duqu RSA Hack 79 Carbanak Equation Duqu2 Casper Babar PlugX 24 Madi Flame Gauss Subpab Shamoon](https://reader033.fdocuments.in/reader033/viewer/2022042418/5f34c5485dbb7678a810ffa4/html5/thumbnails/46.jpg)
CONCLUSIONS
• “Advanced” is a very subjective term
• Dedication can sometimes be as effective as resources
• APT is no longer the sole domain of multi-billion dollar organizations.
![Page 47: THE UNBEARABLE LIGHTNESS · APT HISTORY 2015 2014 2013 2012 2011 2010 12 Aurora 13 Stuxnet Duqu RSA Hack 79 Carbanak Equation Duqu2 Casper Babar PlugX 24 Madi Flame Gauss Subpab Shamoon](https://reader033.fdocuments.in/reader033/viewer/2022042418/5f34c5485dbb7678a810ffa4/html5/thumbnails/47.jpg)
MORE RECENT EXAMPLES
• The Spy Kittens Are Back: Rocket Kitten 2 - Cedric Pernet - Trend Micro - Eyal Sela - ClearSky
![Page 48: THE UNBEARABLE LIGHTNESS · APT HISTORY 2015 2014 2013 2012 2011 2010 12 Aurora 13 Stuxnet Duqu RSA Hack 79 Carbanak Equation Duqu2 Casper Babar PlugX 24 Madi Flame Gauss Subpab Shamoon](https://reader033.fdocuments.in/reader033/viewer/2022042418/5f34c5485dbb7678a810ffa4/html5/thumbnails/48.jpg)
ROCKET KITTEN 2
“We believe the espionage factor and political context make their attacks unique and very different from
traditional targeted attacks… This is an obvious case of politicaly inspired or motivated espionage.“
“550 Targets, most of which are located in the Middle East… policy research, diplomacy, all aspects of international
affairs, defense, security, journalism, human rights… Israeli academic institution… scientists, journalists, researchers, and sometimes expatriated Iranians living in Western countries…”
Threat?
![Page 49: THE UNBEARABLE LIGHTNESS · APT HISTORY 2015 2014 2013 2012 2011 2010 12 Aurora 13 Stuxnet Duqu RSA Hack 79 Carbanak Equation Duqu2 Casper Babar PlugX 24 Madi Flame Gauss Subpab Shamoon](https://reader033.fdocuments.in/reader033/viewer/2022042418/5f34c5485dbb7678a810ffa4/html5/thumbnails/49.jpg)
ROCKET KITTEN 2
“Numerous attempts to attack the same (chosen) targets for as long as necessary“
“Barrage targets until they eventually slip”
Persistent?
“The attackers do make up for these disadvantages with persistence…”
![Page 50: THE UNBEARABLE LIGHTNESS · APT HISTORY 2015 2014 2013 2012 2011 2010 12 Aurora 13 Stuxnet Duqu RSA Hack 79 Carbanak Equation Duqu2 Casper Babar PlugX 24 Madi Flame Gauss Subpab Shamoon](https://reader033.fdocuments.in/reader033/viewer/2022042418/5f34c5485dbb7678a810ffa4/html5/thumbnails/50.jpg)
ROCKET KITTEN 2
“Simple tools and lack of professionalism… they don’t seem to put much effort into quality
Advacned?
“The group is not very technically sophisticated… analysis of their code showed deficits and mistakes that a professional cybercriminal would not make… actors used off-the-shelf and low-quality tools””
![Page 51: THE UNBEARABLE LIGHTNESS · APT HISTORY 2015 2014 2013 2012 2011 2010 12 Aurora 13 Stuxnet Duqu RSA Hack 79 Carbanak Equation Duqu2 Casper Babar PlugX 24 Madi Flame Gauss Subpab Shamoon](https://reader033.fdocuments.in/reader033/viewer/2022042418/5f34c5485dbb7678a810ffa4/html5/thumbnails/51.jpg)
MWI AS AN APT TOOL
• A new Word Document Exploit Kit - Art Villeneuve, Joshua Homan, Fireeye - “advertised as an “APT” tool to be used in targeted attacks”
• Microsoft Word Intruder RTF Sample Analysis - Omni Herscovici, Check Point
• Microsoft Word Intruder Revealed - Gabor Szappanos, SophosLabs Hungary
![Page 52: THE UNBEARABLE LIGHTNESS · APT HISTORY 2015 2014 2013 2012 2011 2010 12 Aurora 13 Stuxnet Duqu RSA Hack 79 Carbanak Equation Duqu2 Casper Babar PlugX 24 Madi Flame Gauss Subpab Shamoon](https://reader033.fdocuments.in/reader033/viewer/2022042418/5f34c5485dbb7678a810ffa4/html5/thumbnails/52.jpg)
MWI CAMPAIGN TARGETS
Ministry of EducationGovernment Export Agency
Medical CentersA university computation center
An airline Carrier
The Supreme Court Network
Government Aviation Authority
The Municipalities Computation Center
The Social Security Authority