does a bear leak in the woods?

1All material confidential and proprietary

Does a BEAR Leak in the Woods?The DNC Breach, Russian APTs, and the 2016 U.S. Election


• The DNC Breach

• Guccifer 2.0

• The DCCC Breach

• DCLeaks and Spearphishing

• State Boards of Elections Attacks

• Conclusions

Agenda


From Russia, With LoveThe Basics of the Breaches and the BEARs

© 2016 ThreatConnect, Inc. All Rights Reserved


FANCY BEAR COZY BEAR

Background

● AKA Sofacy, APT 28● Extensive targeting of defense ministries and

military victims● Suspected GRU, Russia’s primary military

intelligence service● Implants include Sofacy, X-Agent, X-Tunnel,

WinIDS droppers● Steals victim credentials by spoofing their

web-based email services● Linked to intrusions into the German Bundestag

and France’s TV5 Monde

● AKA CozyDuke, APT 29● Wide ranging target set● Uses sophisticated RATs w/extensive anti-analysis

techniques● Broadly targeted spearphish campaigns with links

to a malicious dropper● Linked to intrusions into unclassified White House,

State Department, and U.S. Joint Chiefs of Staff networks


14 June• Washington Post article reports breach,

cites CrowdStrike attribution to Russian Advanced Persistent Threat (APT) groups

• FANCY BEAR • COZY BEAR

Separate breaches• No evidence the two groups knew the

other was there

The DNC Breach


FANCY BEAR COZY BEAR

DNC Breach

● Breached DNC in April 2016● X-Agent malware with capabilities to do remote

command execution, file transmission and keylogging.

● X-Tunnel network tunneling tool● Both tools deployed via RemCOM, an

open-source replacement for PsExec available from GitHub.

● Anti-forensic measures such as periodic event log clearing and resetting timestamps of files.

● Breached DNC in Summer 2015● SeaDaddy implant developed in Python and a

Powershell backdoor stored only in WMI database● Allowed the adversary to launch malicious code

automatically at will, executing in memory● Powershell version of MimiKatz used to acquire

credentials for lateral movement

7All material confidential and proprietary© 2016 ThreatConnect, Inc. All Rights Reserved

Meanwhile, at ThreatConnect...


● Started looking for other BEAR infrastructure

● Shared out the CrowdStrike analysis


Passive DNS on FANCY BEAR IP 45.32.129[.]185:

● misdepatrment[.]com● Spoofs MIS Department’s

legitimate domain


Legitimate MIS Department domain:

● Lists DNC as a client● Spoofed domains a

common tactic


Whois Information:● Paris, France● [email protected]

email


The Shiйy ФbjЭkt

Guccifer 2.0

• Emerged on 15 June, just after DNC breach is reported, with a Wordpress blog

• Twitter handle created on 20 June• Borrowed Guccifer name from jailed Romanian hacker

Marcel Lazăr Lehel

His Claims:

• “Hacked” the DNC in Summer 2015• Romanian, with no affiliation to Russia• Motivated to create a world “free from Illuminati”

His Actions:

• Posts purloined docs on his blog• Leaks docs via journalists and WikiLeaks


Hacktivist? Or State-Sponsored Faketivist?

Guccifer 2.0’s Actions are Atypical Hacktivist Behaviors

• Typically don’t stay quiet for long• Politically-motivated hacktivists often quickly

seek publicity• Could have gotten scooped

Persona Doesn’t Add Up

• No backstory• When questioned in Romanian, answers

aren’t native language• VICE: English sentence construction suggests

native Russian speaker• Tone in posts and interviews doesn’t read like

it’s one person talking


The More He Talks About the Breach, The Less Plausible It Sounds

Claim: Found 0-day in NGP VAN, a niche SaaS platform

• Fuzzing, IDA Pro, WinDbg

Problem: Targeted platform is a multi-tenant cloud solution

• No local binary to fuzz, disassemble, or debug• Word choice in responding suggests lack of technical

expertise

Claim: Compromised the DNC last summer

• Exploited bug that gave Sanders campaign unauthorized access to voter information

Problem: Bug did not exist until December 2015

• Only Chuck Norris can exploit a vulnerability for software that has not yet been written


Getting to Know JournalistsLeaked Documents Directly To:

• The Smoking Gun• The Hill• Vocative

Reporters say Guccifer 2.0 is pushing hard for them to publish, but docs are not really newsworthy

13 July: Guccifer 2.0 tells The Hill “The press [is] gradually forget[ing] about me, [W]ikileaks is playing for time and [I] have some more docs.”

Reporters from these publications share the email headers with ThreatConnect for analysis


Tracing Guccifer 2.0 Infrastructure Back to a Russian VPNThe French Connection

• French Twitter account• French AOL account - guccifer20@aol[.]fr• Originating French IP - 95.130.54[.]34

What’s on That IP?

• OpenSSH and Point-to-Point Tunnelling• SSH fingerprint shared with six other IPs

Not a Tor Node, but Russia’s Elite VPN Service

• vpn-service[.]us• sec.service@mail[.]ru original registrant• All IPs offered share the same SSH fingerprint• Guccifer 2.0’s IP not publicly available


• 29 July: Reuters article reports breach, cites FBI investigation, and speculates the same actors responsible for the DNC compromise may be related to this breach

• Indicator characteristics previously linked to FANCY BEAR

• 12 Aug: Guccifer 2.0 publishes documents obtained via the breach

The DCCC Breach


Spoofed donation website actblues[.]com

● Registrant address fisterboks@mail[.]com previously registered three other domains linked to FANCY BEAR

● Registered on 14 June - timing consistent with adversary reacting to heightened focus after the DNC breach announcement

● Name servers are the same as those used by the registrant of a spoofed domain linked to FANCY BEAR C2 infrastructure used in DNC breach


Meanwhile, at ThreatConnect...Part 2

fisterboks@mail[.]com

actblues[.]comfastcontech[.]com I.T. Itch Name Server

.bitcoin-dns[.]hosting Name Server

intelsupportcenter[.]comintelsupportcenter[.]net


Meanwhile, at ThreatConnect...Part 2

fisterboks@mail[.]com

actblues[.]comfastcontech[.]com I.T. Itch Name Server

.bitcoin-dns[.]hosting Name Server

intelsupportcenter[.]comintelsupportcenter[.]net

misdepatrment[.]com

frank_merdeux@europe[.]com

httpconnectsys[.]com


Guccifer 2.0 Shows Us DCLeaks27 June: In emails with The Smoking Gun, Guccifer 2.0 directs reporter to a portfolio of emails on DCLeaks

• Content is password protected• Asks reporter not to mention him in

connection with DCLeaks

TSG sees Rinehart profile on the site, contacts him, gets a copy of spearphish for ThreatConnect to analyze

Other notable profiles: General (ret.) Phillip Breedlove, George Soros, Republicans


DCLeaks

Background

• Established in April 2016

• Claims to be a “new level project” initiated by “the American hacktivists”

• Registered by feehan@europe[.]com

• Initial name server and name server at time of initial publication also hosted domains associated with FANCY BEAR


FANCY BEAR Spearphishing

BEWARE OF PHISHING

March 2016: FANCY BEAR spearphishing campaign targeting Clinton campaign staff

● Spearphish claims suspicious login activity and requests user change password

● Used Bitly to shorten malicious links

● Base64-encoded string containing the victim's full email address is passed with this URL, prepopulating a fake Google login page displayed to the victim

Published by SecureWorks Counter Threat Unit on 16 June


DCLeaks and Billy Rinehart Jr.

• 22 March: Spearphish sent to DNC regional field director Bill Rinehart Jr.

• Spoofed legitimate Google Mail account• Sent from hi.mymail@yandex[.]com• Looked like a Google security notification• Contained a link to a bit.ly shortened URL

• Clicked one time on 20 March 2016• Faux Google login page:

myaccount.google.com-securitysettingpage[.]ml

• Facilitated “Man in the mailbox” attack• Rinehart unaware he was a victim until journalist

contacted him


State Boardsof ElectionsBackground

• Jul - Aug 2016

• Arizona and Illinois


This is a pronounced

shift in targeting for

FANCY BEAR. Why?


The BEAR Essentials

● Fingerprints of known Russian APT threat actors identified

● Multiple venues to breach and leak data

● Victims consistent with known targeting focus


TL;DR


Conclusions



What is going on here?

Worst case: Interfere with U.S. ability to hold a credible election

• Precedent: CyberBerkut activity against Ukrainian government during 2014 election

Damage individual politicians by leaking embarrassing data

Dumping large amounts of personal data is deemed totally acceptable

Undermine faith in government processes and leadership - throw “sand in the gears”

Amplify these messages through Russian propaganda channels and media for domestic Russian audience


How?

Operationalize exfiltrated data across a variety of different outlets

• WikiLeaks, DCLeaks, Guccifer 2.0 going to individual reporters• Credibility of mouthpiece doesn’t have to be airtight, just good enough

Concerns about data integrity

• Guccifer 2.0 first three data dumps• CyberBerkut editing documents also posted on DCLeaks

This activity is likely to continue


The Value of Good Analytic Tradecraft

Technical

Infrastructure analysis

• Passive DNS• WHOIS• Start of Authority

records• Name Servers

Develops picture of adversary TTPs

Info Sharing

Working with a number of reporters to:

• Broaden the pool of additional indicators

• Identify TTPs• Provide I&W of

new campaigns

Strategic Context

The Diamond Model of Intrusion Analysis

Structured Analytic Techniques

• Analysis of Competing Hypotheses


ThreatConnect Blogswww.threatconnect.com/blog

2 Sep: Can a BEAR Fit Down a Rabbit Hole?

• SBOE Attacks and TUR/UKR Spearphishing

19 Aug: Russian Cyber Operations on Steroids

• Attacks Against WADA

12 Aug: Does a BEAR Leak in the Woods?

• Identifies DCLeaks as another Russian-backed influence outlet

29 Jul: FANCY BEAR has an (IT) Itch They Can’t Scratch

• DCCC breach infrastructure

26 Jul: All Roads Lead to Russia

• Review of French infrastructure associated with Guccifer 2.0’s media communications

20 Jul: The Man, The Myth, The Legend

• Update to previous Guccifer 2.0 evaluation and projections for the persona’s future use

7 Jul: What’s in a Name Server

• Identifies additional suspicious infrastructure based on name servers

29 Jun: Shiny Object

• Evaluation of hypotheses on Guccifer 2.0’s true identity

17 Jun: Rebooting Watergate

• Additional research into the DNC breach and associated infrastructure

https://threatconnect.com/guccifer-2-all-roads-lead-russia/

https://threatconnect.com/reassesing-guccifer-2-0-recent-claims/

https://www.threatconnect.com/whats-in-a-name-server/

https://www.threatconnect.com/guccifer-2-0-dnc-breach/

https://www.threatconnect.com/tapping-into-democratic-national-committee/


THANK YOU!


Twitter: @threatconnect@t_gidwani

Sign up for a free account: www.threatconnect.com/free


● All docs in first three Guccifer 2.0 releases created after DNC breach announced

● Naming conventions off● Word documents in RTF

format

Timeline Over the First Week

does a bear leak in the woods?

Technology