Exploiting APT data for fun and (no) profit (I): acquisition and processing

When attending to talks about APT -or when giving them- sometimes you hear sentences like “most threat actors are focused on information theft” or “Russia is one of the most active actors in APT landscape”. But, where do all those sentences come from? We have spent a whole night exploiting APT data for fun and (no) profit, in order to provide you with some curiosities, facts, data… you can use from now in your APT talks!! :)

Since 2019 the folks at ThaiCERT publish the free PDF book “Threat Group Cards: A Threat Actor Encyclopedia” and they have an online portal (https://apt.thaicert.or.th/cgi-bin/aptgroups.cgi) with all the information regarding APT groups acquired from public sources. In this portal, apart from browsing threat groups and their tools, they present some statistics about threat groups activities (source countries, target countries and sectors, most used tools…). Most of these threat groups are considered APT (at the time of this writing, 250 out of 329, with last database change done 20 October 2020). But what happens when you need specific statistics or correlations? You can download a JSON file and exploit it yourself:

$ curl -o out.json https://apt.thaicert.or.th/cgi-bin/getmisp.cgi?o=g 

But JSON is a modern thing and is hard to handle with awk, one of the Tools from the Gods ; so we also download JSON.sh to convert it to a pipeable format:

$ curl -o JSON.sh https://raw.githubusercontent.com/dominictarr/JSON.sh/master/JSON.sh
% Total % Received % Xferd Average Speed Time Time Time Current Dload Upload Total Spent Left Speed
100 4809 100 4809 0 0 15512 0 --:--:-- --:--:-- --:--:-- 15512
$ chmod +x JSON.sh

Now, we parse the JSON file with JSON.sh:

$ cat out.json |./JSON.sh -l > work.txt

Et voilà, we have a file to feel comfortable with. But to feel more comfortable, we split the file into many files, one for each threat actor identified by ThaiCERT (in our main file, by the “values” key):

$ n=`awk -F, 'index($1,"values")>0 {print $2}' work.txt |grep -v value| sort -n|uniq|tail -1` export n
$ for i in $(seq 1 $n);do grep "values\",$i," work.txt >$i.txt;done

Please, don’t blame about the efficiency of this one-liner; it will be executed only once. While you are reading this line, now we have one single text file for each threat actor:

$ ls [0-9]*.txt |wc -l

Each of the text files is composed by entries of the form “[key] value”; just an example:

$ cat 98.txt
["values",98,"value"] "DustSquad, Golden Falcon"
["values",98,"description"] "(Kaspersky) For the last two years we have been monitoring a Russian-language cyberespionage
actor that focuses on Central Asian users and diplomatic entities. We named the actor DustSquad and have provided private
intelligence reports to our customers on four of their campaigns involving custom Android and Windows malware. In this
blogpost we cover a malicious program for Windows called Octopus that mostly targets diplomatic entities.\n\nThe name
was originally coined by ESET in 2017 after the 0ct0pus3.php script used by the actor on their old C2 servers. We also
started monitoring the malware and, using Kaspersky Attribution Engine based on similarity algorithms, discovered that
Octopus is related to DustSquad, something we reported in April 2018. In our telemetry we tracked this campaign back to
2014 in the former Soviet republics of Central Asia (still mostly Russian-speaking), plus Afghanistan."
["values",98,"meta","synonyms",0] "DustSquad"
["values",98,"meta","synonyms",1] "Golden Falcon"
["values",98,"meta","synonyms",2] "APT-C-34"
["values",98,"meta","synonyms",3] "Nomadic Octopus"
["values",98,"meta","attribution-confidence"] "50"
["values",98,"meta","country"] "RU"
["values",98,"meta","motivation",0] "Information theft and espionage"
["values",98,"meta","date"] "2014"
["values",98,"meta","cfr-target-category",0] "Defense"
["values",98,"meta","cfr-target-category",1] "Government"
["values",98,"meta","cfr-target-category",2] "Media"
["values",98,"meta","cfr-suspected-victims",0] "Afghanistan"
["values",98,"meta","cfr-suspected-victims",1] "Kazakhstan"
["values",98,"meta","refs",0] "https://apt.thaicert.or.th/cgi-bin/showcard.cgi?u=982ea477-0c28-490e-87d6-3f43da257cae"
["values",98,"meta","refs",1] "https://securelist.com/octopus-infested-seas-of-central-asia/88200/"
["values",98,"meta","refs",2] "https://www.zdnet.com/article/extensive-hacking-operation-discovered-in-kazakhstan/"
["values",98,"related",0,"dest-uuid"] "e74394ee-e4ab-4642-aca4-fa84d0dcabbf"
["values",98,"related",0,"tags",0] "estimative-language:likelihood-probability=\"almost-certain\""
["values",98,"related",0,"type"] "uses"
["values",98,"related",1,"dest-uuid"] "3d3bf55f-402e-4122-a52b-196aed8e6507"
["values",98,"related",1,"tags",0] "estimative-language:likelihood-probability=\"almost-certain\""
["values",98,"related",1,"type"] "uses"
["values",98,"related",2,"dest-uuid"] "7ff6da6a-d13a-42db-91ac-ac6c3915f3d0"
["values",98,"related",2,"tags",0] "estimative-language:likelihood-probability=\"almost-certain\""
["values",98,"related",2,"type"] "uses"
["values",98,"uuid"] “982ea477-0c28-490e-87d6-3f43da257cae”

Now everything is ready to start parsing the files and getting results. Let’s go!

IOCs are dead, long live IOCs!

An Indicator of Compromise (IOC) is defined as a piece of information that can be used to identify the potential compromise of an environment: from a simple IP address to a set of tactics, techniques and procedures used by an attacker in a campaign. Although when we speak of IOC we always tend to think of indicators such as IP or domains, the concept goes beyond this, and depending on their granularity, we can find three types of indicators:

  • Atomic indicators: those that cannot be broken down into smaller parts without losing their usefulness, such as an IP address or domain name.
  • Calculated indicators: those derived from data involved in an incident, such as a hash of a file.
  • Behavioral indicators: those that, from the treatment of the previous ones, allow the representation of the behavior of an attacker, his tactics, techniques and procedures (TTP).
[Read more…]

CNA Tactics: a first proposal

(Editor’s note: this post was originally published in the Spanish version of Security Art Work on 11th November 2019)

Today we have a doctrinal and somewhat metaphysical article… I.e., something dense. Be warned :)

Within CNO (Computer Network Operations) we find three types of capabilities or actions: CND, CNA and CNE (Defense, Attack and Exploitation respectively).

While CND obviously deals with the defense of technological environments against attacks also technological —not against a missile that hits a Datacenter—, CNE operations and capabilities focus on the acquisition and exploitation of information through networks and computers: what we currently call cyberspying. For its part, CNA, Computer Network Attack, refers to what is often identified with purely destructive operations (the famous “4D”: disrupt, deny, degrade and destroy).

Any actor that executes CNO operations develops TTP (Tactics, Techniques and Procedures) to achieve its objectives; without going into the more formal definitions of the US military literature, tactics specify what an actor does, techniques specify how a tactic is implemented and procedures define a particular implementation —depending even on the person who applies them— of that tactic; this approach, from the higher level to a more operational level, models the behaviour of an actor, something similar to what is usually called its modus operandi.

[Read more…]

(Cyber) GRU (XIV): conclusions

In this work, we have analyzed mainly the structure, targets and TTP of the GRU in the cyber field, based on the information brought to light during 2018 and which allowed to obtain a detailed knowledge of the Service and its activities, not only to intelligence services, but also to poor analysts like us who do not have all the capabilities that a state can have. With what we know, even analyzing public sources, we have access to information that in some cases should be considered sensitive and that, without a doubt, is being -or has been- analyzed by services from all over the world, starting with Russia itself.

The fact that we know the GRU better than a year ago does not mean that now it is a worse service than before; it will remain part of the elite, fulfilling its missions and acting “in any part of the world where it is required“, said one of its former directors. The GRU, or APT28, or whatever you want to name it, will continue to be a very important player in the cyber field and, of course, in the non-cyber realm. We all make mistakes, and the GRU made them on that occasion – and they were published. However, it is more of a concern in certain circles that the GRU failed in its operations than to have leaked the identities or modus operandi of some of its members.

[Read more…]

(Cyber) GRU (XIII): questions and conspiracies

Everything that happened in 2018 in relation to the GRU, both the public accusations of different governments and the private investigations in relation to their activities, make us ask ourselves different questions; surely all of them have an answer, but we do not know them, or at least not for sure… so, we can also talk about conspiracies when it comes to answering these questions. Let’s see them in this section.

How was this information obtained?

We do not know. Certainly not from public sources: surely we are talking about information obtained from human sources, for example, from a possible mole in the Service … or in another service that knows the GRU well.
Some analysts relate to the information that this year saw the arrest, in December 2016, among others of Sergei MIKHAILOV (Coronel of the FSB, Director of the Second Department of the ISC), Dmitry DOKUCHAEV (Commander of the FSB, assigned to the same department as MIKHAILOV and also sought by the FBI) and Ruslan STOYANOV (Kaspersky analyst, but previously linked to the FSB). All of them accused of high treason and could have sold sensitive information to the American intelligence. Could these people have betrayed the FSB, and by extension to the GRU, by providing data on operations, agents, techniques … used by the Service against foreign interests? Could any of the Russian services still have an active mole that sells this information to other intelligence services? Who knows?
[Read more…]

(Cyber) GRU (XII): OPSEC

The GRU members expelled from the Netherlands used basic OPSEC measures, such as throwing out their own rubbish while staying in a hotel; nevertheless, their arrest revealed the lack of other equally basic security measures, that undoubtedly will have given the Service plenty to talk about. Perhaps the proximity operations – at least in the Netherlands – were not considered as a risk by the GRU, perhaps they were considered human failures due to breach of regulations … who knows. The fact is that this poor OPSEC brought to light information on identities, targets, TTP … that allowed us to know the Service a little better during 2018 and that, had they acted otherwise, these evidences wouldn’t be so.

When we talk about OPSEC, beyond formal models and methodologies, we always talk about the three Cs[1]: Cover, Concealment, Compartmentation. The coverage of an operation must allow you to justify where you are (state) and what you are doing (action), the concealment must allow hiding activities or identities related to the operation and, finally, compartmentation, as a final line of defense, must minimize the impact in case things go wrong, not affecting other people, operations, etc.
[Read more…]

(Cyber) GRU (XI): TTP

The information that has come to light in recent months, especially Mueller’s accusation, has identified different tactics and techniques of the GRU, some of them previously known – and in many cases linked to APT28 – and others that, although we could all imagine, no one had previously confirmed. These TTPs are summarized in the following table, based on an adaptation of the tactics and techniques published by MITRE in its ATT&CK framework:

[Read more…]

(Cyber) GRU (X): objectives

Apart from some more specific objectives, such as Westinghouse Electric Company’s – with business in nuclear technology – or domestic routers that can be compromised to orchestrate a distributed attack against the real objective, the information published in 2018 has brought to light five major GRU objectives, consistent with the interests of the Service and consequently with those of the Russian Federation; are those exposed at this point.

It is striking that in most of these objectives – with the possible exception of Ukraine and its infrastructures – the GRU has, presumably always, an interest related more to the confrontation of psychological information to which we have referred than with a purely technical attack. In other words, it is unlikely that the GRU will attack targets such as the researchers of the use of Novichok or the demolition of the MH17, which we will see below, with the intention of technologically altering the results of these investigations … it is more likely that the real objective was to obtain information, on the one hand, to know first-hand the state at each moment and on the other, equally important, to obtain data that would allow the Service to initiate disinformation campaigns against these investigating bodies, so that in the face of society they would lose lost credibility in their claims, thus benefiting the interests of the Russian Federation. [Read more…]

(Cyber) GRU (IX): structure. Other units

In addition to the two previous units, which have gained prominence from the information brought to light in 2018, the GRU has other Military Units linked to signal intelligence, cybersecurity or information warfare. Some of which we can find data in public sources are the following:

  • Military Unit 11135 (18th Central Research Institute). Historically ([1]) the Central Scientific Research Institute has been identified within the GRU, which from Moscow designs SIGINT equipment for the GRU and which is perhaps currently this Military Unit, focused today not only on interception of radio and satellite communications but also on wireless devices, SCADA systems or protection of communications ([2]).
  • Military Unit 40904, known as the “177th Independent Center for the Management of Technological Development”. Located in Meshcheryakova, 2 (Moscow), with high probability, this unit specializes in signal intelligence processing ([3]).
  • Military Unit 36360. Apparently it is a training unit of the GRU in which advanced intelligence courses are taught, at least since January 1949. This training, also apparently and according to open sources, includes topics closely linked to the cyber domain such as the following:
    • Telecommunications Engineering (communication by radio, radio broadcasting and television).
    • Technologies, networks and communication systems.
    • Information systems and technologies: information and analysis.
    • Software Engineering.
    • Applied Mathematics and Computer Science.
    • Information security.
    • Computer software.
    • Automated information processing and control systems.
    • Translation and translation studies (linguistics).
  • Military Unit 54726 (46th Central Research Institute), a center focused on military technical information, especially on the capabilities of foreign countries, which potentially includes research in the cyber field.

[Read more…]

(Cyber) GRU (VIII): Structure. Unit 74455

Apparently, Unit 74455 is linked to operations of disinformation, influence, propaganda … which would reconfirm the broad concept of information warfare of the Russian military doctrine. We have already referred to it repeatedly, and to the mixture of the purely technical field with the psychological field (dezinformatsiya, spetspropaganda, kompromat, etc.).

In fact, the US DIA speaks of the confrontation of Russian information (informatsionnoye protivoborstvo, IPb) as the term used by the Government for the information war conflict, with two major measures: technical, as a classic CNO, and psychological, as the attempt to manipulate the population in favour of Russian interests ([1]), speaking openly of “cyber” PSYOP. The first of these measures would correspond to Unit 26165 and the second to Unit 74455.

[Read more…]