My5tery solved

Typical autumn day, through the window you can only see a gray sky. It is the typical day in which you believe that nothing strange is going to happen. Suddenly, our surveillance system alerts anomalous connections: a user has tried to connect against IP addresses of unknown origin. These IP addresses are public and, according to the configuration established in the organization, any HTTP connection to the outside must pass through a proxy.

The connections are searched in the proxy logs and are not found, so this user has tried to connect directly, ignoring the configuration of the system. [Read more…]

The 5 keys of an Operator’s Security Plan for a health service

(This post has been prepared by Juan Carlos Muria & Samuel Segarra.)

Regarding the protection of critical infrastructures and essential services, as reflected in the European NIS Directive, in Spain there is a National Strategy that includes the health sector as a critical infrastructure.
In this SAW post, we explain the key success factors for approaching the preparation of the Sector Strategic Plan to render it compliant with Spanish regulation, although there are many points in common with protecting critical infrastructure in other countries, according to our experience.

And finally it arrived: The Sector Strategic Plan (PES) for the health sector was published at the end of October, and now comes the time, for elected operators, to draft the Operator’s Security Plan (OSP) in less than six months, not forgetting that then there will only be four months to detail the Specific Protection Plans for each of the critical infrastructures, and finally the Operational Support Plans (PAO).

This is the minimum required by the National Center for the Protection of Critical Infrastructures, in response to meetings held and emails exchanged with different operators.

The structure of these plans is defined by the (CNPIC) itself, so we have preferred to focus on the things that a healthcare operator should take into account, and since we are on a blog and the content should be short and concrete, we have decided to highlight the 5 most important things, which should not be missing in a OSP.
Shall we start?
[Read more…]

(Cyber) GRU (XIV): conclusions

In this work, we have analyzed mainly the structure, targets and TTP of the GRU in the cyber field, based on the information brought to light during 2018 and which allowed to obtain a detailed knowledge of the Service and its activities, not only to intelligence services, but also to poor analysts like us who do not have all the capabilities that a state can have. With what we know, even analyzing public sources, we have access to information that in some cases should be considered sensitive and that, without a doubt, is being -or has been- analyzed by services from all over the world, starting with Russia itself.

The fact that we know the GRU better than a year ago does not mean that now it is a worse service than before; it will remain part of the elite, fulfilling its missions and acting “in any part of the world where it is required“, said one of its former directors. The GRU, or APT28, or whatever you want to name it, will continue to be a very important player in the cyber field and, of course, in the non-cyber realm. We all make mistakes, and the GRU made them on that occasion – and they were published. However, it is more of a concern in certain circles that the GRU failed in its operations than to have leaked the identities or modus operandi of some of its members.

[Read more…]

(Cyber) GRU (XIII): questions and conspiracies

Everything that happened in 2018 in relation to the GRU, both the public accusations of different governments and the private investigations in relation to their activities, make us ask ourselves different questions; surely all of them have an answer, but we do not know them, or at least not for sure… so, we can also talk about conspiracies when it comes to answering these questions. Let’s see them in this section.

How was this information obtained?

We do not know. Certainly not from public sources: surely we are talking about information obtained from human sources, for example, from a possible mole in the Service … or in another service that knows the GRU well.
Some analysts relate to the information that this year saw the arrest, in December 2016, among others of Sergei MIKHAILOV (Coronel of the FSB, Director of the Second Department of the ISC), Dmitry DOKUCHAEV (Commander of the FSB, assigned to the same department as MIKHAILOV and also sought by the FBI) and Ruslan STOYANOV (Kaspersky analyst, but previously linked to the FSB). All of them accused of high treason and could have sold sensitive information to the American intelligence. Could these people have betrayed the FSB, and by extension to the GRU, by providing data on operations, agents, techniques … used by the Service against foreign interests? Could any of the Russian services still have an active mole that sells this information to other intelligence services? Who knows?
[Read more…]

(Cyber) GRU (XII): OPSEC

The GRU members expelled from the Netherlands used basic OPSEC measures, such as throwing out their own rubbish while staying in a hotel; nevertheless, their arrest revealed the lack of other equally basic security measures, that undoubtedly will have given the Service plenty to talk about. Perhaps the proximity operations – at least in the Netherlands – were not considered as a risk by the GRU, perhaps they were considered human failures due to breach of regulations … who knows. The fact is that this poor OPSEC brought to light information on identities, targets, TTP … that allowed us to know the Service a little better during 2018 and that, had they acted otherwise, these evidences wouldn’t be so.

When we talk about OPSEC, beyond formal models and methodologies, we always talk about the three Cs[1]: Cover, Concealment, Compartmentation. The coverage of an operation must allow you to justify where you are (state) and what you are doing (action), the concealment must allow hiding activities or identities related to the operation and, finally, compartmentation, as a final line of defense, must minimize the impact in case things go wrong, not affecting other people, operations, etc.
[Read more…]

(Cyber) GRU (XI): TTP

The information that has come to light in recent months, especially Mueller’s accusation, has identified different tactics and techniques of the GRU, some of them previously known – and in many cases linked to APT28 – and others that, although we could all imagine, no one had previously confirmed. These TTPs are summarized in the following table, based on an adaptation of the tactics and techniques published by MITRE in its ATT&CK framework:... Leer Más

(Cyber) GRU (X): objectives

Apart from some more specific objectives, such as Westinghouse Electric Company’s – with business in nuclear technology – or domestic routers that can be compromised to orchestrate a distributed attack against the real objective, the information published in 2018 has brought to light five major GRU objectives, consistent with the interests of the Service and consequently with those of the Russian Federation; are those exposed at this point.

It is striking that in most of these objectives – with the possible exception of Ukraine and its infrastructures – the GRU has, presumably always, an interest related more to the confrontation of psychological information to which we have referred than with a purely technical attack. In other words, it is unlikely that the GRU will attack targets such as the researchers of the use of Novichok or the demolition of the MH17, which we will see below, with the intention of technologically altering the results of these investigations … it is more likely that the real objective was to obtain information, on the one hand, to know first-hand the state at each moment and on the other, equally important, to obtain data that would allow the Service to initiate disinformation campaigns against these investigating bodies, so that in the face of society they would lose lost credibility in their claims, thus benefiting the interests of the Russian Federation. [Read more…]

(Cyber) GRU (IX): structure. Other units

In addition to the two previous units, which have gained prominence from the information brought to light in 2018, the GRU has other Military Units linked to signal intelligence, cybersecurity or information warfare. Some of which we can find data in public sources are the following:

  • Military Unit 11135 (18th Central Research Institute). Historically ([1]) the Central Scientific Research Institute has been identified within the GRU, which from Moscow designs SIGINT equipment for the GRU and which is perhaps currently this Military Unit, focused today not only on interception of radio and satellite communications but also on wireless devices, SCADA systems or protection of communications ([2]).
  • Military Unit 40904, known as the “177th Independent Center for the Management of Technological Development”. Located in Meshcheryakova, 2 (Moscow), with high probability, this unit specializes in signal intelligence processing ([3]).
  • Military Unit 36360. Apparently it is a training unit of the GRU in which advanced intelligence courses are taught, at least since January 1949. This training, also apparently and according to open sources, includes topics closely linked to the cyber domain such as the following:
    • Telecommunications Engineering (communication by radio, radio broadcasting and television).
    • Technologies, networks and communication systems.
    • Information systems and technologies: information and analysis.
    • Software Engineering.
    • Applied Mathematics and Computer Science.
    • Information security.
    • Computer software.
    • Automated information processing and control systems.
    • Translation and translation studies (linguistics).
  • Military Unit 54726 (46th Central Research Institute), a center focused on military technical information, especially on the capabilities of foreign countries, which potentially includes research in the cyber field.

[Read more…]

CISSP certificate – II. Personal experience

In yesterday’s post we saw some general aspects of CISSP certification, which can be expanded consulting the official website of (ISC)2. In this post I will go into detail on the non-formal aspects, such as materials, advice and personal opinions. Let’s get started.

Is the exam difficult?

If you search on Google, the main user communities related to (ISC)2 are found on reddit and in the (ISC)2 forums. In both there are multiple entries relating opinions, experience with the exam, asking and giving advice, reviewing study materials and other topics. However, my impression is that the tone tends to be negative and somewhat frightening, terrifying even at times. Many people who have taken the exam describe it as very difficult and obscure with tricky wording. In addition, there are no “example” questions on the Internet, and the people who produce the training material (including the official question book) or teach the training courses (bootcamps) are never the same people who write the exam questions. Therefore, a critical element to manage during exam preparation is uncertainty.

[Read more…]

Ukraine election 2019 polls Maldoc: analysis

From Lab52 at S2 Grupo, we have recently detected a malicious document titled “Ukraine_election_2019_polls.doc”. The document was uploaded to Virustotal on March 12nd, 2019 from Germany.

The title and uploading date is especially relevant in this case, because of the existing conflict between Ukraine and Russia and the general elections at Ukraine.

Document content

[Read more…]