![Page 1: When Governments Attack! Conf/Blackhat/2016/us-16... · BlackHat USA 2016 When Governments Attack! Eva Galperin / Global Policy Analyst / eva@eff.org Cooper Quintin / Staff Technologist](https://reader034.vdocuments.mx/reader034/viewer/2022050205/5f58e98ccf74a825bf2f9341/html5/thumbnails/1.jpg)
BlackHat USA 2016
When Governments Attack!Eva Galperin / Global Policy Analyst / [email protected]
Cooper Quintin / Staff Technologist / [email protected]
![Page 2: When Governments Attack! Conf/Blackhat/2016/us-16... · BlackHat USA 2016 When Governments Attack! Eva Galperin / Global Policy Analyst / eva@eff.org Cooper Quintin / Staff Technologist](https://reader034.vdocuments.mx/reader034/viewer/2022050205/5f58e98ccf74a825bf2f9341/html5/thumbnails/2.jpg)
BlackHat USA 2016
Whois?
Eva Galperin Cooper Quintin Morgan Marquis-Boire Claudio Guarnieri
![Page 3: When Governments Attack! Conf/Blackhat/2016/us-16... · BlackHat USA 2016 When Governments Attack! Eva Galperin / Global Policy Analyst / eva@eff.org Cooper Quintin / Staff Technologist](https://reader034.vdocuments.mx/reader034/viewer/2022050205/5f58e98ccf74a825bf2f9341/html5/thumbnails/3.jpg)
BlackHat USA 2016
What is EFF?
![Page 4: When Governments Attack! Conf/Blackhat/2016/us-16... · BlackHat USA 2016 When Governments Attack! Eva Galperin / Global Policy Analyst / eva@eff.org Cooper Quintin / Staff Technologist](https://reader034.vdocuments.mx/reader034/viewer/2022050205/5f58e98ccf74a825bf2f9341/html5/thumbnails/4.jpg)
BlackHat USA 2016
“What Binge On does, it includes a proprietary technology and what the technology does is not only detect the video stream but select the appropriate bit rate to optimize to the video, the mobile device. That’s part A of my answer. Part B of my answer is, who the fuck are you, anyway, EFF? Why are you stirring up so much trouble, and who pays you?” - John Legere
![Page 5: When Governments Attack! Conf/Blackhat/2016/us-16... · BlackHat USA 2016 When Governments Attack! Eva Galperin / Global Policy Analyst / eva@eff.org Cooper Quintin / Staff Technologist](https://reader034.vdocuments.mx/reader034/viewer/2022050205/5f58e98ccf74a825bf2f9341/html5/thumbnails/5.jpg)
BlackHat USA 2016
Q: Who the Fuck are you, anyway, EFF?
![Page 6: When Governments Attack! Conf/Blackhat/2016/us-16... · BlackHat USA 2016 When Governments Attack! Eva Galperin / Global Policy Analyst / eva@eff.org Cooper Quintin / Staff Technologist](https://reader034.vdocuments.mx/reader034/viewer/2022050205/5f58e98ccf74a825bf2f9341/html5/thumbnails/6.jpg)
BlackHat USA 2016
Legal Work
![Page 7: When Governments Attack! Conf/Blackhat/2016/us-16... · BlackHat USA 2016 When Governments Attack! Eva Galperin / Global Policy Analyst / eva@eff.org Cooper Quintin / Staff Technologist](https://reader034.vdocuments.mx/reader034/viewer/2022050205/5f58e98ccf74a825bf2f9341/html5/thumbnails/7.jpg)
BlackHat USA 2016
![Page 8: When Governments Attack! Conf/Blackhat/2016/us-16... · BlackHat USA 2016 When Governments Attack! Eva Galperin / Global Policy Analyst / eva@eff.org Cooper Quintin / Staff Technologist](https://reader034.vdocuments.mx/reader034/viewer/2022050205/5f58e98ccf74a825bf2f9341/html5/thumbnails/8.jpg)
BlackHat USA 2016
Q: Why are you stirring up so much trouble?
![Page 9: When Governments Attack! Conf/Blackhat/2016/us-16... · BlackHat USA 2016 When Governments Attack! Eva Galperin / Global Policy Analyst / eva@eff.org Cooper Quintin / Staff Technologist](https://reader034.vdocuments.mx/reader034/viewer/2022050205/5f58e98ccf74a825bf2f9341/html5/thumbnails/9.jpg)
BlackHat USA 2016
Activism
![Page 10: When Governments Attack! Conf/Blackhat/2016/us-16... · BlackHat USA 2016 When Governments Attack! Eva Galperin / Global Policy Analyst / eva@eff.org Cooper Quintin / Staff Technologist](https://reader034.vdocuments.mx/reader034/viewer/2022050205/5f58e98ccf74a825bf2f9341/html5/thumbnails/10.jpg)
BlackHat USA 2016
International Work
![Page 11: When Governments Attack! Conf/Blackhat/2016/us-16... · BlackHat USA 2016 When Governments Attack! Eva Galperin / Global Policy Analyst / eva@eff.org Cooper Quintin / Staff Technologist](https://reader034.vdocuments.mx/reader034/viewer/2022050205/5f58e98ccf74a825bf2f9341/html5/thumbnails/11.jpg)
BlackHat USA 2016
Technology
![Page 12: When Governments Attack! Conf/Blackhat/2016/us-16... · BlackHat USA 2016 When Governments Attack! Eva Galperin / Global Policy Analyst / eva@eff.org Cooper Quintin / Staff Technologist](https://reader034.vdocuments.mx/reader034/viewer/2022050205/5f58e98ccf74a825bf2f9341/html5/thumbnails/12.jpg)
BlackHat USA 2016
Q: Who pays you?
![Page 13: When Governments Attack! Conf/Blackhat/2016/us-16... · BlackHat USA 2016 When Governments Attack! Eva Galperin / Global Policy Analyst / eva@eff.org Cooper Quintin / Staff Technologist](https://reader034.vdocuments.mx/reader034/viewer/2022050205/5f58e98ccf74a825bf2f9341/html5/thumbnails/13.jpg)
BlackHat USA 2016
Targeted Attacks
![Page 14: When Governments Attack! Conf/Blackhat/2016/us-16... · BlackHat USA 2016 When Governments Attack! Eva Galperin / Global Policy Analyst / eva@eff.org Cooper Quintin / Staff Technologist](https://reader034.vdocuments.mx/reader034/viewer/2022050205/5f58e98ccf74a825bf2f9341/html5/thumbnails/14.jpg)
BlackHat USA 2016
![Page 15: When Governments Attack! Conf/Blackhat/2016/us-16... · BlackHat USA 2016 When Governments Attack! Eva Galperin / Global Policy Analyst / eva@eff.org Cooper Quintin / Staff Technologist](https://reader034.vdocuments.mx/reader034/viewer/2022050205/5f58e98ccf74a825bf2f9341/html5/thumbnails/15.jpg)
BlackHat USA 2016
Ethiopia
![Page 16: When Governments Attack! Conf/Blackhat/2016/us-16... · BlackHat USA 2016 When Governments Attack! Eva Galperin / Global Policy Analyst / eva@eff.org Cooper Quintin / Staff Technologist](https://reader034.vdocuments.mx/reader034/viewer/2022050205/5f58e98ccf74a825bf2f9341/html5/thumbnails/16.jpg)
BlackHat USA 2016
Iran
![Page 17: When Governments Attack! Conf/Blackhat/2016/us-16... · BlackHat USA 2016 When Governments Attack! Eva Galperin / Global Policy Analyst / eva@eff.org Cooper Quintin / Staff Technologist](https://reader034.vdocuments.mx/reader034/viewer/2022050205/5f58e98ccf74a825bf2f9341/html5/thumbnails/17.jpg)
BlackHat USA 2016
Pawn Storm / FancyBear / APT28
![Page 18: When Governments Attack! Conf/Blackhat/2016/us-16... · BlackHat USA 2016 When Governments Attack! Eva Galperin / Global Policy Analyst / eva@eff.org Cooper Quintin / Staff Technologist](https://reader034.vdocuments.mx/reader034/viewer/2022050205/5f58e98ccf74a825bf2f9341/html5/thumbnails/18.jpg)
BlackHat USA 2016
Operation Manul Nobody Cares About Kazakhstan
![Page 19: When Governments Attack! Conf/Blackhat/2016/us-16... · BlackHat USA 2016 When Governments Attack! Eva Galperin / Global Policy Analyst / eva@eff.org Cooper Quintin / Staff Technologist](https://reader034.vdocuments.mx/reader034/viewer/2022050205/5f58e98ccf74a825bf2f9341/html5/thumbnails/19.jpg)
BlackHat USA 2016
Kazakhstan is here!
![Page 20: When Governments Attack! Conf/Blackhat/2016/us-16... · BlackHat USA 2016 When Governments Attack! Eva Galperin / Global Policy Analyst / eva@eff.org Cooper Quintin / Staff Technologist](https://reader034.vdocuments.mx/reader034/viewer/2022050205/5f58e98ccf74a825bf2f9341/html5/thumbnails/20.jpg)
BlackHat USA 2016
![Page 21: When Governments Attack! Conf/Blackhat/2016/us-16... · BlackHat USA 2016 When Governments Attack! Eva Galperin / Global Policy Analyst / eva@eff.org Cooper Quintin / Staff Technologist](https://reader034.vdocuments.mx/reader034/viewer/2022050205/5f58e98ccf74a825bf2f9341/html5/thumbnails/21.jpg)
BlackHat USA 2016
![Page 22: When Governments Attack! Conf/Blackhat/2016/us-16... · BlackHat USA 2016 When Governments Attack! Eva Galperin / Global Policy Analyst / eva@eff.org Cooper Quintin / Staff Technologist](https://reader034.vdocuments.mx/reader034/viewer/2022050205/5f58e98ccf74a825bf2f9341/html5/thumbnails/22.jpg)
BlackHat USA 2016
![Page 23: When Governments Attack! Conf/Blackhat/2016/us-16... · BlackHat USA 2016 When Governments Attack! Eva Galperin / Global Policy Analyst / eva@eff.org Cooper Quintin / Staff Technologist](https://reader034.vdocuments.mx/reader034/viewer/2022050205/5f58e98ccf74a825bf2f9341/html5/thumbnails/23.jpg)
BlackHat USA 2016
![Page 24: When Governments Attack! Conf/Blackhat/2016/us-16... · BlackHat USA 2016 When Governments Attack! Eva Galperin / Global Policy Analyst / eva@eff.org Cooper Quintin / Staff Technologist](https://reader034.vdocuments.mx/reader034/viewer/2022050205/5f58e98ccf74a825bf2f9341/html5/thumbnails/24.jpg)
BlackHat USA 2016
![Page 25: When Governments Attack! Conf/Blackhat/2016/us-16... · BlackHat USA 2016 When Governments Attack! Eva Galperin / Global Policy Analyst / eva@eff.org Cooper Quintin / Staff Technologist](https://reader034.vdocuments.mx/reader034/viewer/2022050205/5f58e98ccf74a825bf2f9341/html5/thumbnails/25.jpg)
BlackHat USA 2016
KZ!
![Page 26: When Governments Attack! Conf/Blackhat/2016/us-16... · BlackHat USA 2016 When Governments Attack! Eva Galperin / Global Policy Analyst / eva@eff.org Cooper Quintin / Staff Technologist](https://reader034.vdocuments.mx/reader034/viewer/2022050205/5f58e98ccf74a825bf2f9341/html5/thumbnails/26.jpg)
BlackHat USA 2016
KZ!
![Page 27: When Governments Attack! Conf/Blackhat/2016/us-16... · BlackHat USA 2016 When Governments Attack! Eva Galperin / Global Policy Analyst / eva@eff.org Cooper Quintin / Staff Technologist](https://reader034.vdocuments.mx/reader034/viewer/2022050205/5f58e98ccf74a825bf2f9341/html5/thumbnails/27.jpg)
BlackHat USA 2016
![Page 28: When Governments Attack! Conf/Blackhat/2016/us-16... · BlackHat USA 2016 When Governments Attack! Eva Galperin / Global Policy Analyst / eva@eff.org Cooper Quintin / Staff Technologist](https://reader034.vdocuments.mx/reader034/viewer/2022050205/5f58e98ccf74a825bf2f9341/html5/thumbnails/28.jpg)
BlackHat USA 2016
![Page 29: When Governments Attack! Conf/Blackhat/2016/us-16... · BlackHat USA 2016 When Governments Attack! Eva Galperin / Global Policy Analyst / eva@eff.org Cooper Quintin / Staff Technologist](https://reader034.vdocuments.mx/reader034/viewer/2022050205/5f58e98ccf74a825bf2f9341/html5/thumbnails/29.jpg)
BlackHat USA 2016
NO DOGS WERE HARMED IN THE MAKING OF THIS TALK.
WE LOVE DOGS.
PLEASE ENJOY THIS UNICORN PICTURE.
![Page 30: When Governments Attack! Conf/Blackhat/2016/us-16... · BlackHat USA 2016 When Governments Attack! Eva Galperin / Global Policy Analyst / eva@eff.org Cooper Quintin / Staff Technologist](https://reader034.vdocuments.mx/reader034/viewer/2022050205/5f58e98ccf74a825bf2f9341/html5/thumbnails/30.jpg)
BlackHat USA 2016
![Page 31: When Governments Attack! Conf/Blackhat/2016/us-16... · BlackHat USA 2016 When Governments Attack! Eva Galperin / Global Policy Analyst / eva@eff.org Cooper Quintin / Staff Technologist](https://reader034.vdocuments.mx/reader034/viewer/2022050205/5f58e98ccf74a825bf2f9341/html5/thumbnails/31.jpg)
BlackHat USA 2016
![Page 32: When Governments Attack! Conf/Blackhat/2016/us-16... · BlackHat USA 2016 When Governments Attack! Eva Galperin / Global Policy Analyst / eva@eff.org Cooper Quintin / Staff Technologist](https://reader034.vdocuments.mx/reader034/viewer/2022050205/5f58e98ccf74a825bf2f9341/html5/thumbnails/32.jpg)
BlackHat USA 2016
![Page 33: When Governments Attack! Conf/Blackhat/2016/us-16... · BlackHat USA 2016 When Governments Attack! Eva Galperin / Global Policy Analyst / eva@eff.org Cooper Quintin / Staff Technologist](https://reader034.vdocuments.mx/reader034/viewer/2022050205/5f58e98ccf74a825bf2f9341/html5/thumbnails/33.jpg)
BlackHat USA 2016
![Page 34: When Governments Attack! Conf/Blackhat/2016/us-16... · BlackHat USA 2016 When Governments Attack! Eva Galperin / Global Policy Analyst / eva@eff.org Cooper Quintin / Staff Technologist](https://reader034.vdocuments.mx/reader034/viewer/2022050205/5f58e98ccf74a825bf2f9341/html5/thumbnails/34.jpg)
BlackHat USA 2016
I got a letter from the government the other day...
![Page 35: When Governments Attack! Conf/Blackhat/2016/us-16... · BlackHat USA 2016 When Governments Attack! Eva Galperin / Global Policy Analyst / eva@eff.org Cooper Quintin / Staff Technologist](https://reader034.vdocuments.mx/reader034/viewer/2022050205/5f58e98ccf74a825bf2f9341/html5/thumbnails/35.jpg)
BlackHat USA 2016
![Page 36: When Governments Attack! Conf/Blackhat/2016/us-16... · BlackHat USA 2016 When Governments Attack! Eva Galperin / Global Policy Analyst / eva@eff.org Cooper Quintin / Staff Technologist](https://reader034.vdocuments.mx/reader034/viewer/2022050205/5f58e98ccf74a825bf2f9341/html5/thumbnails/36.jpg)
BlackHat USA 2016
![Page 37: When Governments Attack! Conf/Blackhat/2016/us-16... · BlackHat USA 2016 When Governments Attack! Eva Galperin / Global Policy Analyst / eva@eff.org Cooper Quintin / Staff Technologist](https://reader034.vdocuments.mx/reader034/viewer/2022050205/5f58e98ccf74a825bf2f9341/html5/thumbnails/37.jpg)
BlackHat USA 2016
Mukhtar Ablyazov
![Page 38: When Governments Attack! Conf/Blackhat/2016/us-16... · BlackHat USA 2016 When Governments Attack! Eva Galperin / Global Policy Analyst / eva@eff.org Cooper Quintin / Staff Technologist](https://reader034.vdocuments.mx/reader034/viewer/2022050205/5f58e98ccf74a825bf2f9341/html5/thumbnails/38.jpg)
BlackHat USA 2016
Unveiling Operation Manul
![Page 39: When Governments Attack! Conf/Blackhat/2016/us-16... · BlackHat USA 2016 When Governments Attack! Eva Galperin / Global Policy Analyst / eva@eff.org Cooper Quintin / Staff Technologist](https://reader034.vdocuments.mx/reader034/viewer/2022050205/5f58e98ccf74a825bf2f9341/html5/thumbnails/39.jpg)
BlackHat USA 2016
![Page 40: When Governments Attack! Conf/Blackhat/2016/us-16... · BlackHat USA 2016 When Governments Attack! Eva Galperin / Global Policy Analyst / eva@eff.org Cooper Quintin / Staff Technologist](https://reader034.vdocuments.mx/reader034/viewer/2022050205/5f58e98ccf74a825bf2f9341/html5/thumbnails/40.jpg)
BlackHat USA 2016
JRat / Jacksbot
![Page 41: When Governments Attack! Conf/Blackhat/2016/us-16... · BlackHat USA 2016 When Governments Attack! Eva Galperin / Global Policy Analyst / eva@eff.org Cooper Quintin / Staff Technologist](https://reader034.vdocuments.mx/reader034/viewer/2022050205/5f58e98ccf74a825bf2f9341/html5/thumbnails/41.jpg)
BlackHat USA 2016
JRat / Jacksbot• Java Based• Multi Platform
– Win, Mac, Linux, Solaris, *BSD• Plugin Architecture and API • Cheap!
![Page 42: When Governments Attack! Conf/Blackhat/2016/us-16... · BlackHat USA 2016 When Governments Attack! Eva Galperin / Global Policy Analyst / eva@eff.org Cooper Quintin / Staff Technologist](https://reader034.vdocuments.mx/reader034/viewer/2022050205/5f58e98ccf74a825bf2f9341/html5/thumbnails/42.jpg)
BlackHat USA 2016
JRat / Jacksbot
Server UI
![Page 43: When Governments Attack! Conf/Blackhat/2016/us-16... · BlackHat USA 2016 When Governments Attack! Eva Galperin / Global Policy Analyst / eva@eff.org Cooper Quintin / Staff Technologist](https://reader034.vdocuments.mx/reader034/viewer/2022050205/5f58e98ccf74a825bf2f9341/html5/thumbnails/43.jpg)
BlackHat USA 2016
JRat / Jacksbot
View Remote Screen
![Page 44: When Governments Attack! Conf/Blackhat/2016/us-16... · BlackHat USA 2016 When Governments Attack! Eva Galperin / Global Policy Analyst / eva@eff.org Cooper Quintin / Staff Technologist](https://reader034.vdocuments.mx/reader034/viewer/2022050205/5f58e98ccf74a825bf2f9341/html5/thumbnails/44.jpg)
BlackHat USA 2016
JRat / Jacksbot
Control Panel
![Page 45: When Governments Attack! Conf/Blackhat/2016/us-16... · BlackHat USA 2016 When Governments Attack! Eva Galperin / Global Policy Analyst / eva@eff.org Cooper Quintin / Staff Technologist](https://reader034.vdocuments.mx/reader034/viewer/2022050205/5f58e98ccf74a825bf2f9341/html5/thumbnails/45.jpg)
BlackHat USA 2016
JRat / Jacksbot - Other Features• Process List• Remote Shell• Chat• Edit Registry • Manage Remote Filesystem
![Page 46: When Governments Attack! Conf/Blackhat/2016/us-16... · BlackHat USA 2016 When Governments Attack! Eva Galperin / Global Policy Analyst / eva@eff.org Cooper Quintin / Staff Technologist](https://reader034.vdocuments.mx/reader034/viewer/2022050205/5f58e98ccf74a825bf2f9341/html5/thumbnails/46.jpg)
BlackHat USA 2016
JRat / Jacksbot - Plugins• Turn on remote webcam• Disable webcam indicator light• Password Recovery• Keylogger• Reverse SOCKS Proxy• Roll Your Own...
![Page 47: When Governments Attack! Conf/Blackhat/2016/us-16... · BlackHat USA 2016 When Governments Attack! Eva Galperin / Global Policy Analyst / eva@eff.org Cooper Quintin / Staff Technologist](https://reader034.vdocuments.mx/reader034/viewer/2022050205/5f58e98ccf74a825bf2f9341/html5/thumbnails/47.jpg)
BlackHat USA 2016
JRat / Jacksbot - Anti Analysis• Bytecode obfuscated with Zendix Klass
Master• Encrypted config file • Decryption key hidden in zip file metadata• Detect Virtualization
![Page 48: When Governments Attack! Conf/Blackhat/2016/us-16... · BlackHat USA 2016 When Governments Attack! Eva Galperin / Global Policy Analyst / eva@eff.org Cooper Quintin / Staff Technologist](https://reader034.vdocuments.mx/reader034/viewer/2022050205/5f58e98ccf74a825bf2f9341/html5/thumbnails/48.jpg)
BlackHat USA 2016
Bandook• Another off the shelf, commodity RAT • Continuously developed over a number of years• Only targets Windows• Modular:
– Start shell, record sound, record video, keylogger, take screenshots, etc. etc.
![Page 49: When Governments Attack! Conf/Blackhat/2016/us-16... · BlackHat USA 2016 When Governments Attack! Eva Galperin / Global Policy Analyst / eva@eff.org Cooper Quintin / Staff Technologist](https://reader034.vdocuments.mx/reader034/viewer/2022050205/5f58e98ccf74a825bf2f9341/html5/thumbnails/49.jpg)
BlackHat USA 2016
C&C ServersAxroot.com, Adobeair.net, kaliex.net…• Windows servers, running XAMPP• Do not appear to be shared hosts
– Not many domains / shared document root• But they are not sitting idle!
– Many open ports and many open directories
![Page 50: When Governments Attack! Conf/Blackhat/2016/us-16... · BlackHat USA 2016 When Governments Attack! Eva Galperin / Global Policy Analyst / eva@eff.org Cooper Quintin / Staff Technologist](https://reader034.vdocuments.mx/reader034/viewer/2022050205/5f58e98ccf74a825bf2f9341/html5/thumbnails/50.jpg)
BlackHat USA 2016
C&C ServersAxroot.com, Adobeair.net, kaliex.net…• Windows servers, running XAMPP• Do not appear to be shared hosts
– Not many domains / shared document root• But they are not sitting idle!
– Many open ports and many open directories
![Page 51: When Governments Attack! Conf/Blackhat/2016/us-16... · BlackHat USA 2016 When Governments Attack! Eva Galperin / Global Policy Analyst / eva@eff.org Cooper Quintin / Staff Technologist](https://reader034.vdocuments.mx/reader034/viewer/2022050205/5f58e98ccf74a825bf2f9341/html5/thumbnails/51.jpg)
BlackHat USA 2016
Other Targets
![Page 52: When Governments Attack! Conf/Blackhat/2016/us-16... · BlackHat USA 2016 When Governments Attack! Eva Galperin / Global Policy Analyst / eva@eff.org Cooper Quintin / Staff Technologist](https://reader034.vdocuments.mx/reader034/viewer/2022050205/5f58e98ccf74a825bf2f9341/html5/thumbnails/52.jpg)
BlackHat USA 2016
Other Targets
![Page 53: When Governments Attack! Conf/Blackhat/2016/us-16... · BlackHat USA 2016 When Governments Attack! Eva Galperin / Global Policy Analyst / eva@eff.org Cooper Quintin / Staff Technologist](https://reader034.vdocuments.mx/reader034/viewer/2022050205/5f58e98ccf74a825bf2f9341/html5/thumbnails/53.jpg)
BlackHat USA 2016
Attribution Is Hard
![Page 54: When Governments Attack! Conf/Blackhat/2016/us-16... · BlackHat USA 2016 When Governments Attack! Eva Galperin / Global Policy Analyst / eva@eff.org Cooper Quintin / Staff Technologist](https://reader034.vdocuments.mx/reader034/viewer/2022050205/5f58e98ccf74a825bf2f9341/html5/thumbnails/54.jpg)
BlackHat USA 2016
Links to Kazakhstan• Common thread between targets
– Legal disputes against KZ government• Phishing at private email address
– Subpoenaed by Kazakhstan• Arcanum Global Intelligence
– Cyber Intelligence Operations– Hired by KZ to gather intel on Ablyazov family
![Page 55: When Governments Attack! Conf/Blackhat/2016/us-16... · BlackHat USA 2016 When Governments Attack! Eva Galperin / Global Policy Analyst / eva@eff.org Cooper Quintin / Staff Technologist](https://reader034.vdocuments.mx/reader034/viewer/2022050205/5f58e98ccf74a825bf2f9341/html5/thumbnails/55.jpg)
BlackHat USA 2016
![Page 56: When Governments Attack! Conf/Blackhat/2016/us-16... · BlackHat USA 2016 When Governments Attack! Eva Galperin / Global Policy Analyst / eva@eff.org Cooper Quintin / Staff Technologist](https://reader034.vdocuments.mx/reader034/viewer/2022050205/5f58e98ccf74a825bf2f9341/html5/thumbnails/56.jpg)
BlackHat USA 2016
Links Between Operation Manul and Appin
• Overlapping domains with hangover, including appinsecurity.com
• Alleged use of Hackback trojan / similar to trojan used in Oslo– Unable to verify this
![Page 57: When Governments Attack! Conf/Blackhat/2016/us-16... · BlackHat USA 2016 When Governments Attack! Eva Galperin / Global Policy Analyst / eva@eff.org Cooper Quintin / Staff Technologist](https://reader034.vdocuments.mx/reader034/viewer/2022050205/5f58e98ccf74a825bf2f9341/html5/thumbnails/57.jpg)
BlackHat USA 2016
![Page 58: When Governments Attack! Conf/Blackhat/2016/us-16... · BlackHat USA 2016 When Governments Attack! Eva Galperin / Global Policy Analyst / eva@eff.org Cooper Quintin / Staff Technologist](https://reader034.vdocuments.mx/reader034/viewer/2022050205/5f58e98ccf74a825bf2f9341/html5/thumbnails/58.jpg)
BlackHat USA 2016
![Page 59: When Governments Attack! Conf/Blackhat/2016/us-16... · BlackHat USA 2016 When Governments Attack! Eva Galperin / Global Policy Analyst / eva@eff.org Cooper Quintin / Staff Technologist](https://reader034.vdocuments.mx/reader034/viewer/2022050205/5f58e98ccf74a825bf2f9341/html5/thumbnails/59.jpg)
BlackHat USA 2016
Other Considerations
![Page 60: When Governments Attack! Conf/Blackhat/2016/us-16... · BlackHat USA 2016 When Governments Attack! Eva Galperin / Global Policy Analyst / eva@eff.org Cooper Quintin / Staff Technologist](https://reader034.vdocuments.mx/reader034/viewer/2022050205/5f58e98ccf74a825bf2f9341/html5/thumbnails/60.jpg)
BlackHat USA 2016
![Page 61: When Governments Attack! Conf/Blackhat/2016/us-16... · BlackHat USA 2016 When Governments Attack! Eva Galperin / Global Policy Analyst / eva@eff.org Cooper Quintin / Staff Technologist](https://reader034.vdocuments.mx/reader034/viewer/2022050205/5f58e98ccf74a825bf2f9341/html5/thumbnails/61.jpg)
BlackHat USA 2016
![Page 62: When Governments Attack! Conf/Blackhat/2016/us-16... · BlackHat USA 2016 When Governments Attack! Eva Galperin / Global Policy Analyst / eva@eff.org Cooper Quintin / Staff Technologist](https://reader034.vdocuments.mx/reader034/viewer/2022050205/5f58e98ccf74a825bf2f9341/html5/thumbnails/62.jpg)
BlackHat USA 2016
![Page 63: When Governments Attack! Conf/Blackhat/2016/us-16... · BlackHat USA 2016 When Governments Attack! Eva Galperin / Global Policy Analyst / eva@eff.org Cooper Quintin / Staff Technologist](https://reader034.vdocuments.mx/reader034/viewer/2022050205/5f58e98ccf74a825bf2f9341/html5/thumbnails/63.jpg)
BlackHat USA 2016
It doesn’t need to be sophisticated to work.
![Page 64: When Governments Attack! Conf/Blackhat/2016/us-16... · BlackHat USA 2016 When Governments Attack! Eva Galperin / Global Policy Analyst / eva@eff.org Cooper Quintin / Staff Technologist](https://reader034.vdocuments.mx/reader034/viewer/2022050205/5f58e98ccf74a825bf2f9341/html5/thumbnails/64.jpg)
BlackHat USA 2016
We could(n’t) be heroes
![Page 65: When Governments Attack! Conf/Blackhat/2016/us-16... · BlackHat USA 2016 When Governments Attack! Eva Galperin / Global Policy Analyst / eva@eff.org Cooper Quintin / Staff Technologist](https://reader034.vdocuments.mx/reader034/viewer/2022050205/5f58e98ccf74a825bf2f9341/html5/thumbnails/65.jpg)
BlackHat USA 2016
What do we do?• Outreach community relations/trust building• Incident response malware analysis
/forensics/threat intel• Education training/IT support/help desk• Policy research legal/law enforcement• Advocacy awareness/policy change• Follow up with other affected parties
![Page 66: When Governments Attack! Conf/Blackhat/2016/us-16... · BlackHat USA 2016 When Governments Attack! Eva Galperin / Global Policy Analyst / eva@eff.org Cooper Quintin / Staff Technologist](https://reader034.vdocuments.mx/reader034/viewer/2022050205/5f58e98ccf74a825bf2f9341/html5/thumbnails/66.jpg)
BlackHat USA 2016
What do we do?• Outreach community relations/trust building• Incident response malware analysis
/forensics/threat intel• Education training/IT support/help desk• Policy research legal/law enforcement• Advocacy awareness/policy change• Follow up with other affected parties
![Page 67: When Governments Attack! Conf/Blackhat/2016/us-16... · BlackHat USA 2016 When Governments Attack! Eva Galperin / Global Policy Analyst / eva@eff.org Cooper Quintin / Staff Technologist](https://reader034.vdocuments.mx/reader034/viewer/2022050205/5f58e98ccf74a825bf2f9341/html5/thumbnails/67.jpg)
BlackHat USA 2016
What is to be done?
![Page 68: When Governments Attack! Conf/Blackhat/2016/us-16... · BlackHat USA 2016 When Governments Attack! Eva Galperin / Global Policy Analyst / eva@eff.org Cooper Quintin / Staff Technologist](https://reader034.vdocuments.mx/reader034/viewer/2022050205/5f58e98ccf74a825bf2f9341/html5/thumbnails/68.jpg)
BlackHat USA 2016
What industry can do
• Anti-virus state sponsored warnings• Better state-sponsored warnings
![Page 69: When Governments Attack! Conf/Blackhat/2016/us-16... · BlackHat USA 2016 When Governments Attack! Eva Galperin / Global Policy Analyst / eva@eff.org Cooper Quintin / Staff Technologist](https://reader034.vdocuments.mx/reader034/viewer/2022050205/5f58e98ccf74a825bf2f9341/html5/thumbnails/69.jpg)
BlackHat USA 2016
What you can do
![Page 70: When Governments Attack! Conf/Blackhat/2016/us-16... · BlackHat USA 2016 When Governments Attack! Eva Galperin / Global Policy Analyst / eva@eff.org Cooper Quintin / Staff Technologist](https://reader034.vdocuments.mx/reader034/viewer/2022050205/5f58e98ccf74a825bf2f9341/html5/thumbnails/70.jpg)
BlackHat USA 2016
![Page 71: When Governments Attack! Conf/Blackhat/2016/us-16... · BlackHat USA 2016 When Governments Attack! Eva Galperin / Global Policy Analyst / eva@eff.org Cooper Quintin / Staff Technologist](https://reader034.vdocuments.mx/reader034/viewer/2022050205/5f58e98ccf74a825bf2f9341/html5/thumbnails/71.jpg)
BlackHat USA 2016
Pick a cause you care about
and get involved.
![Page 72: When Governments Attack! Conf/Blackhat/2016/us-16... · BlackHat USA 2016 When Governments Attack! Eva Galperin / Global Policy Analyst / eva@eff.org Cooper Quintin / Staff Technologist](https://reader034.vdocuments.mx/reader034/viewer/2022050205/5f58e98ccf74a825bf2f9341/html5/thumbnails/72.jpg)
BlackHat USA 2016
What Else Can You Do?• If you have research related to the actors
behind Operation Manul publish it, or send it to us!
• Donate to EFF!
![Page 73: When Governments Attack! Conf/Blackhat/2016/us-16... · BlackHat USA 2016 When Governments Attack! Eva Galperin / Global Policy Analyst / eva@eff.org Cooper Quintin / Staff Technologist](https://reader034.vdocuments.mx/reader034/viewer/2022050205/5f58e98ccf74a825bf2f9341/html5/thumbnails/73.jpg)
BlackHat USA 2016
Takeaways• None of this research is “sexy”. The tools and
the actors aren’t sophisticated.• Attacks don’t need to be sophisticated to
work.• But it’s not every day that malware research
can prevent people from getting kidnapped or killed, and expose state crimes.
![Page 74: When Governments Attack! Conf/Blackhat/2016/us-16... · BlackHat USA 2016 When Governments Attack! Eva Galperin / Global Policy Analyst / eva@eff.org Cooper Quintin / Staff Technologist](https://reader034.vdocuments.mx/reader034/viewer/2022050205/5f58e98ccf74a825bf2f9341/html5/thumbnails/74.jpg)
BlackHat USA 2016
Acknowledgements• Huge thanks to our fellow researchers: Morgan Marquis-
Boire and Claudio Guarnieri.• Operation Hangover: Snorre Fagerland, Morten Kråkvik,
Jonathan Camp, Ned Moran.• Hex-Rays, Joe Sandbox, Virus Total, Passive Total for
donation of their services and software.• Additionally we’d like to thank David Greene, Jamie Lee
Williams, Meghan Fenzel, Nate Cardozo, Kurt Opsahl, Soraya Okuda, and Marion Marschalek, for their patience, help, support, and advice.
![Page 75: When Governments Attack! Conf/Blackhat/2016/us-16... · BlackHat USA 2016 When Governments Attack! Eva Galperin / Global Policy Analyst / eva@eff.org Cooper Quintin / Staff Technologist](https://reader034.vdocuments.mx/reader034/viewer/2022050205/5f58e98ccf74a825bf2f9341/html5/thumbnails/75.jpg)
BlackHat USA 2016
Further ReadingOperation Hangover: http://enterprise-manage.norman.c.bitbit.net/resources/files/Unveiling_an_India…
Oslo Freedom Forum: https://www.f-secure.com/weblog/archives/00002554.html
Iran 2FA Spearphishing: https://citizenlab.org/2015/08/iran_two_factor_phishing/
Pawn Storm EFF Report: https://www.eff.org/deeplinks/2015/08/new-spear-phishing….
Wassenaar: https://www.eff.org/deeplinks/2015/05/we-must-fight-proposed-us-wassenaar-impl….
Kidane V. Ethiopia: https://www.eff.org/cases/kidane-v-ethiopia
Ethiopia and FinFisher: https://citizenlab.org/2013/03/you-only-click-twice-finfishers-global...
Human Rights Watch Report on Kazakhstan: https://www.hrw.org/world-report/2015/country-chapters/kazakhstan