apt28: ¿una ventana a las operaciones de ciber-espionaje … · de ciber-espionaje ruso? viii...

La defensa del patrimonio tecnológico

frente a los ciberataques

10 y 11 de diciembre de 2014

www.ccn-cert.cni.es © 2014 Centro Criptológico Nacional

C/Argentona 20, 28023 MADRID

APT28:

¿Una ventana a las operaciones de Ciber-Espionaje Ruso?

VIII JORNADAS STIC CCN-CERT

www.ccn-cert.cni.es

Fireeye / Mandiant

Ricardo Hernandez Calleja

[email protected]


FIREEYE MISSION

MORE ESSENTIAL THAN EVER TO THE WORLD’S ECONOMY

TECHNOLOGY INFRASTRUCTURE

COSTS OF COMPROMISE PALPABLE

THREATS TO INFRASTRUCTURE ARE REAL

WITH THE MOST ADVANCED TECHNOLOGY, THREAT INTELLIGENCE AND THE

WORLD’S MOST EXPERIENCED RESEARCHERS AND INCIDENT RESPONDERS

WE ARE COMMITTED TO STOPPING CYBER THREATS

CYBER SECURITY HAS NEVER BEEN MORE

CRITICAL


4

2. Objetivos de APT28 coinciden con los Intereses de Rusia

Índice

3. Características del Malware apuntan a programadores

rusos

4. Conclusiones

1. Claves encontradas en APT28

www.ccn-cert.cni.es


5

APT28

Claves Encontradas

www.ccn-cert.cni.es


APT28 Key Findings

APT28 targets insider information

related to governments,

militaries, and security

organizations that would likely

benefit the Russian government.

APT28 primarily targets Georgia,

Eastern Europe, and

European security organizations

using skillfully engineered

malware which was created

during normal

working hours in Moscow.


APT28 Primary Targets


APT28 Malware Overview


APT28 Malware Created in Moscow?


10

Coincidentes con

intereses de Rusia

Objetivos de APT28

www.ccn-cert.cni.es


Targeting: Caucasus Region


Targeting: Georgian Ministry of Internal Affairs


Targeting: Caucasus Region Militaries and Media

• Georgian military

• Armenian military

• Kavkaz Center


Targeting: Eastern Europe

• Ministry of Foreign Affairs infected

• Polish government targeted with CORESHELL

• MH17 lure

• Baltic Host exercises


Targeting: Eastern Europe


Targeting: European Security Organizations

• NATO

• OSCE


Targeting: Defense Attaches

• UK

• Turkey

• China

• Japan

• South Korea


Targeting: Defense


Targeting: Wide-ranging Interests


Lures


22

Malware apunta a

programadores Rusos

Características

www.ccn-cert.cni.es

Actualizado desde 2007


Malware


Malware: Ecosystem


Malware: Counter-analysis

• Unused machine instructions

• Runtime checks

• Obfuscated strings

• RSA encryption of stolen data


Malware: Updated Since 2007

• New network traffic formats, export functions, filenames

• Removed Russian language resources


Malware Variants

• CHOPSTICK backdoor

• HTTP variant

• SMTP variant

• Removable drive variant

• EVILTOSS backdoor

• x86 HTTP variant

• x64 HTTP variant

• x86 SMTP variant


Russian language in the code

• Locale and language identifiers associated with APT28 malware


When were developers working?


31

Conclusión

www.ccn-cert.cni.es


Questions?

Síguenos en Linked in

E-Mails

[email protected]

[email protected]

[email protected]

[email protected]

[email protected]

[email protected]

[email protected]

Websites

www.ccn.cni.es

www.ccn-cert.cni.es

www.oc.ccn.cni.es

apt28: ¿una ventana a las operaciones de ciber-espionaje … · de ciber-espionaje ruso? viii...

Documents