Security Art Work

This text is the result of a conversation I had some time ago with a coworker. The idea came up during a quick coffee break, but over the years I have come to believe that it pointed to a structural problem that deserves to be addressed with a little more calm.

For years, I thought that the problem with cybersecurity was in the details. If I had to be a little more specific today, I would say that the problem is not so much in the details as in what we have done with them: the exception is no longer the exception.

All organizations are full of small special cases. The user who needs local administrator permissions; the umpteenth group in Active Directory that contains only a few people; the application that uses a non-standard port; the legacy database that requires a different backup scheme; the department that needs to run software not included in the whitelist; the manager who needs to be allowed to use USB devices; the server that cannot be patched so as not to break compatibility; the one-off exception in the firewall; the processing of personal data that requires an exception to minimization or retention policies because “the process needs it.”

The nature and number of exceptions is countless.

The main units of the Russian GRU engaged in cyberspace operations have been discussed in this blog: from our old posts (from 2018) about unit 26165 and 74455, to the recent rise of unit 29155. All these units have something in common, in addition to their cyberspace capabilities: they have been assigned an APT group name. Military unit 26165 is commonly referred as APT28, while unit 74455 is known as Sandworm Team and unit 29155 is named Ember Bear (please note the mess about APT groups nomenclature, referred in this blog). However, not all GRU units operating on cyberspace have the honor of being assigned an APT group. In this post, unit 54777 is presented, a GRU military unit engaged in PSYOP -also through cyberspace- but, until now, without a particular common name.

Soviet Union, and now Russia, has a long history on disinformation and psychological warfare. In fact, Information Confrontation’s aim is to influence the perception and behavior of the enemy, population, and international community. Psychological warfare has been used since the roots of Soviet intelligence by spymaster and Cheka founder Felix DZERZHINSKI, to the current Ukrainian conflict. Just a fact to highlight the relevance of psychological warfare in modern Russia: Aleksandr Gennadyevich STARUNSKY, a former commander of military unit 54777, was appointed by Vladimir PUTIN to the Scientific Council, under the Security Council of the Russian Federation.

Soviet GRU, and whole Soviet Red Army, considered special propaganda as part of their active measures. Although propaganda was supposed to influence on enemy troops, the Soviet regime used it to strengthen the spirit of its own troops. When Soviet Union collapsed, the Special Propaganda Directorate, responsible for military psychological operations, were transferred into the GRU, and few years later, in 1994, it was established as military unit 54777. This transference was not only a bureaucratic question: it made Russian PSYOP more aggressive than they were during Soviet times. While in Soviet times special propaganda units operated only during military operations, with this transference operations began to be carried out “in peace time and war time”.

Military unit 54777 (VCh 54777, 72nd Special Service Center, 72nd Main Intelligence Information Center -GRITs- or Foreign Information and Communications Service), is still responsible for the GRU’s PSYOP. A detailed description of this unit, together with historical Soviet propaganda efforts and current Russian psychological warfare, can be found on Agentura website and on Aquarium Leaks (Inside the GRU’s Psychological Warfare Program).

Among its most notable operations, unit 54777 has been involved in disinformation campaigns related to the 2014 annexation of Crimea, to the Syrian civil war and to the Ukraine conflict. In peace time, this unit has been involved in propaganda campaigns during elections in Europe and in the United States, as well as in disinformation campaigns related to COVID-19 pandemic.

In addition to conventional PSYOP, unit 54777 includes both SIGINT and cyberspace capabilities. Related to SIGINT, unit 54777 gathers and analyzes communications to produce intelligence that can be used in further disinformation and influence campaigns. In the cyber arena, this unit works complementing Cyberspace Operations not only with digital PSYOP: its activities include operating in support of other GRU cyber units, creating and disseminating fake versions of their cyberspace operations, as well as operating on the tactical level by conducting electronic warfare and psychological operations.

Unit 54777 conducts most of its online operations through social media, an activity which began with the Maidan revolution. In addition to social media, this unit engages in spreading disinformation and manipulating public opinion through online digital platforms and public forums. It works through several front organizations, including InfoRos and the Institute of the Russian Diaspora, founded by Aleksandr Gennadyevich STARUNSKY. These are “information agencies” focused on political, economic and social life in the Russian Federation and other ex Soviet Republics, posting both in Russian and in English.

Probably, unit 54777 is located within the GRU 12th Directorate, which focuses on information operations. It is believed that unit 54777 is overseen by unit 55111. In fact, Aleksandr Gennadyevich STARUNSKY, former commander of unit 54777, was the deputy commander of unit 55111 when he was appointed to the Scientific Council. According to open sources, military unit 54777 has, or has had, different subordinate units performing PSYOP in every Russian military district in addition to the Moscow one:

• PSYOP Leningrad Military District, military unit 03126, located in Leningrad region.
• PSYOP Central Military District, military unit 03138, located in Yekaterinburg.
• PSYOP Southern Military District, military unit 03128, located in Rostov-on-Don.
• PSYOP Eastern Military District, military unit 03134, located in Khabarovsk.

A characteristic feature of all these units is their emblem: a combination of the international symbol for psychology, Y (“Psi”), and a red carnation, the heraldic symbol of Russian military intelligence, as shown in image (from Agentura website):

Historically, the Russian GRU military unit 29155 (VCh 29155, 161st Specialist Training Center) has been involved in active measures such as subversion, assassinations or sabotage. Recall that Soviet or Russian active measures refer to covert operations with the aim of influencing the policy or public opinion of third countries. These measures include from activities in cyberspace to “wet stuff” (assassinations, blackmail, sabotage…). Other famous operations of this unit include the sabotage of an arms depot in Czech Republic (2014), a coup in Montenegro (2016) or the attempted poisoning of the Skripals in Salisbury (2018).

Although unit 29155 was known to analysts, its existence jumped to generalist media when this unit was accused of being the cause of the “Havana Syndrome”. This syndrome was identified among U.S. and Canadian diplomats and intelligence personnel stationed in Cuba, in 2016, and its symptoms were replicated in other parts of the world. These symptoms include visual problems, vertigo or cognitive difficulties that manifest, according to those affected, after hearing strange sounds. Since the discovery of Havana syndrome, its origin has been controversial. Different studies have associated it with Russian intelligence activities related to new-generation weaponry, from acoustic weapons to directed energy.

In the dynamic and ever-changing cybersecurity environment, staying ahead of threats is more crucial than ever.

At S2 Grupo, in collaboration with the National Cryptologic Center (CCN), we have developed and continuously improved CARMEN, an innovative tool designed to protect organizations against the most sophisticated threats.

What is CARMEN?

CARMEN (Center for Log Analysis and Data Mining) is a comprehensive threat detection and response solution specifically designed to address the evolution of Advanced Persistent Threats (APTs). This tool is fundamental for Threat Hunting processes, allowing security teams to proactively identify and neutralize risks.

CARMEN’s main objective is to generate intelligence from network traffic and user activities within the organization, filtering and prioritizing critical information. In this way, it helps prevent security breaches and mitigate the impact of cyber-attacks. With CARMEN, organizations achieve full visibility of their infrastructure, facilitating both early threat detection and an agile and effective response.

In the world of cybersecurity there is a widely known vulnerability known as Path Traversal, which can affect web servers, including Nginx servers. This represents a significant threat to the integrity and security of information.

What does it consist of?

This vulnerability allows an attacker to access and read files outside the designated root directory. Therefore, an attacker could manipulate file requests to reach resources that should not be accessible.

How is such a vulnerability exploited? This is achieved by manipulating directory paths in HTTP request URLs.

The following image shows an example of how the server’s passwd file would be accessed via the web. The “..” symbols indicate the number of directories between the files shown on the web and the location of the server’s root folder.

That defenses are tested by attacks is now widely accepted by many organizations. For many years now, Red Team exercises have become an essential element in evaluating and improving the security of state-of-the-art IT infrastructures. In these exercises, one or more hackers simulate the behavior of an attacker and test for a set period of time both the security of a set of assets or users and the defensive capabilities of the organization’s security operations center (SOC), whose members must not know that the exercise is taking place.

The results obtained are reflected in a report containing one or more attack narratives and information on the weaknesses identified. This report is then used by the organization to improve security, minimizing the impact of future real attacks.

Red Team exercises are an excellent resource, not only for improving the organization’s defenses, but also for SOC personnel to face a realistic attack situation from which to learn, with the added benefit of being able to sit down with the attackers and discuss the play afterwards.

In recent years we have witnessed the release of a large number of C2s in different languages: Covenant in .NET, Merlin and Sliver in Go or Mythic in Python are some examples. All of them are added to the more classic tools established in previous years (Cobalt, Empire, …) creating a large ecosystem where sometimes it is difficult to choose between them all.

In September 2022, Havoc, a C2 written in multiple languages (C++, Golang, C and ASM) was published on github and has since achieved great notoriety in the world of offensive cybersecurity thanks to its modularity and efficiency, and has become one of the go-to free C2s.

In this post we will take a look at its installation process, as well as its operation and capabilities.

Installation

The installation of Havoc is simple and can be found in the documentation of the tool, the first thing we are going to do is to clone the repository:

In the dynamic and ever-changing landscape of cybersecurity, Advanced Persistent Threats (APTs) stand out as one of the most significant challenges. These threats, characterized by their sophistication and ability to evade traditional defences, can infiltrate corporate and government networks, remaining undetected for extended periods. Effective detection of APTs is therefore a critical priority to protect the integrity and confidentiality of information.

APTs are characterized by their high sophistication and persistence in target systems. Attackers, often backed by significant resources, employ complex tactics to gain unauthorized access to systems and extract sensitive data or cause prolonged damage. These tactics include the use of custom malware, exploitation of unknown vulnerabilities (zero-day), and advanced social engineering techniques. On the defensive side, the MITRE ATT&CK framework provides a comprehensive structure detailing the various methods and techniques attackers use at each stage of the cyberattack lifecycle, allowing for a better understanding and defence against these advanced threats.

In this context, artificial intelligence (AI) emerges as a promising tool to enhance APT detection capabilities. AI, with its ability to analyse vast amounts of data and detect anomalous patterns, offers an advanced solution against traditional cybersecurity techniques. Unlike conventional methods, which often rely on predefined signatures and static rules, AI can adapt and learn from new threats in real-time.