Malcolm Nance - The Plot to Hack America

The APT countermeasure system tracks not only the malware toolkits themselves, but the source of origin and related resources, including IP addresses of the remote Command-and-Control servers (C2), or in some cases metadata found in the compiled tools used by the threat actors. In addition, a pattern of behavior in what the hackers steal can help indicate further distinctions on the group behind the malware infection. For instance, nation-state hackers acting on behalf of Russia and China do not typically engage in financial theft but focus on espionage targets, even if that target is a private enterprise.

In the case of the attacks on the DNC, the company CrowdStrike identified two actors in separate breaches on the servers used. The two found were identified as “FancyBear” and “CozyBear” by CrowdStrike, but elsewhere they have other names depending on the security firm who encounters their activities. FancyBear is also commonly known as APT28 or Sofacy. CozyBear is commonly known as APT29.

APT28 is a group that goes by many names, depending on who has discovered them. In order to learn the character of this group it helps to look at all the cases investigated on the range of names the group gets assigned. Along with the naming of the group, different firms also name the malware and conflicting names can occur for the same toolset. FireEye calls them APT28, CrowdStrike named them FancyBear, Trend Micro has called them Operation Pawn Storm, Microsoft Security Intelligence Report calls them STRONTIUM, 8Secure Works tagged them as TG-4127. They’ve also been called Sednit (by Eset), Tsar Team (iSight) and Sofacy Group. Despite these names the methodology and toolset is distinct and shows a deployment sophistication that truly qualifies as an advanced and persistent threat; it is considered one of the most potent threats in the list of known APTs.

Security authorities first discovered the group in 2007. Their attacks have included a range of Eastern European countries including Ukraine, Georgia, Poland, to the south at Pakistan and further west to the United States and France. They have been linked to the GRU. They were even tied to attacks on the Russian all-girl band Pussy Riot. 9

Many hackers establish typosquatting websites. These are where a false “squatter” website is installed on the actual location of a known website or where they buy a URL that is nearly identical to a well known website but where fat-fingered “typos” occur (e.g. Microsift.com, Amaxon.com). Hence “Typosquatter.” Another technique to gather login, password or financial information from a targeted victim is to establish or insert malicious viruses into a targeted site. Many typosquatters are Watering Hole sites—decoy or fraudulent websites that are loaded with malware and used to lure targets via spear-phishing emails to download their payload. To fool computer users into following these links, the site would need to look relevant or identical to the target’s working interest, and include very up-to-date information, whether it be a bombing attack in Iraq mentioned in an email to the Vatican Embassy in Iraq, or schedule and coordination information sent to Hungary. In many cases, the malicious domain is very similar to the real domain.

Trend Micro examined four cases in the “Operation Pawn Storm” attacks and found these examples.

Hackers sent a series of emails to the Hungarian Ministry of Defense supposedly inviting them to the world’s largest Defense exhibit held in Paris each year, Eurosatory. The hacker’s email included links to “eurosatory2014.com .” The link led to a false site that stole the user’s information. So the technique is to deceive the employee into thinking the website is legitimate if they have attended the conference before or are aware of upcoming participation. 10

A staff member of the Organization for Security and Cooperation in Europe in Vienna was victim of an attempt at phishing. A link in an email sent to employees was to “vice-news.com” even though Vice News is found at “news.vice.com.” To lure an employee at SAIC, hackers used a link aimed at “Future Forces 2014” which pointed to “natoexhibitionff14.com” when the real exhibition website is “natoexhibition.org” 11The purpose was to lure the personnel to give up their webmail log in credentials so the hackers can walk through the front door. For instance, the OSCE’s real OWA domain is “login-in.osce.org” an extension of “osce.org”. The phishing account purchased to steal credentials was “login-in-osce.org” In the case of SAIC, the OWA domain was “webmail.saic.com” related to “saic.com”. The phishing account purchased was “webmail-saic.com.” 12

Fancy Bear also targeted Academi, the infamous company formerly known as Blackwater. The link sent to them was meant to look like it came from “tolonews.com,” when in fact it came from “tolonevvs.com,” which was infected and part of the phishing campaign. As with the pattern above, the real email server was a very close misspelling that may have passed a casual glance, “academl” instead of “academi.com.”

In the case of a German company, attackers went so far as to buy an SSL certificate to mask their heist. SSL certificates are sold to allow a vendor to establish a secure connection to the buyer’s browser. Trend Micro says they were able to warn the target and avoid attack only because of early detection. 13Trend Micro engaged the attackers by sending fake credentials through these webmail login pages. Attackers responded “within minutes” of the intentional “leaking” of these fake accounts and began attempting unauthorized access. After an initial login check came from the site itself, they noticed additional login attempts that came next from Latvia (46.166.162.90) and the United States (192.154.110.244). 14

Once the hackers are in they deploy a range of tools to take control of the infected computer and begin efforts to gain data to download—credit cards, photos, or bitcoins, they steal it all.

In a Trend Micro assessment from August 2015, APT28, aka “Pawn Storm,” focused 25 percent of its targeting efforts on the Ukraine, followed by the United States at 19 percent. When it came to attacks by sector, the emphasis shifted depending on the country. In Russia 23 percent of attacks targeted Media, followed by 17 percent on Diplomacy, then Activism at 15 percent. By contrast, the Ukrainian sectors struck were 18 percent Military, 18 percent Media, 16 percent Government. For the United States the sectors were even clearer, with Military at 35 percent, Defense at 22 percent, and Government at 8 percent. Attacks on American media were at 7 percent. 15

Like its companion Russian cyber groups, APT29 has its own tool set and methods of attack. In operation since 2008, CrowdStrike named the group COZY BEAR. It is also known as Cozy Duke by Mandiant. Before it struck the DNC, targets of APT29 included the U.S. State Department, U.S. Joint Chiefs of Staff, and the White House. The group has developed a tool kit commonly labeled “The Dukes.” One tool set called Hammertoss or Hammerduke, even uses steganography (encrypted data or messages within a photograph) via images posted on Twitter. They usually gain access to computers through Spearphishing.

In a September 2015 study on APT29 attacks, Finnish cyber security firm F-Secure found several samples of APT29 activity in Chechnya between 2008 and 2015. 16Though F-Secure calls them “The Dukes,” other firms have also named and tracked these toolkits. For example, the one toolkit has been named “SeaDaddy” as found in the DNC breach. Similarly, “HammerDuke” is the same toolkit as “HammerToss” tracked by FireEye. Their targets have been Chechnya, the Ukraine, and the United States. Most of their operations occur in the UTC+3, UTC+4 time zones so they too indicated Russian origins.