non-political security learnings from the mueller report...unit 26165 spearphishing building malware...
TRANSCRIPT
![Page 1: Non-Political Security Learnings from the Mueller Report...Unit 26165 spearphishing building malware mining bitcoin Unit 74455 assisted with release & promotion of stolen materials](https://reader034.vdocuments.mx/reader034/viewer/2022050716/5e2cf17aa5f5fe2d2d3b592d/html5/thumbnails/1.jpg)
Non-Political Security Learnings from the Mueller Report
Arkadiy Tetelman (@arkadiyt)
![Page 2: Non-Political Security Learnings from the Mueller Report...Unit 26165 spearphishing building malware mining bitcoin Unit 74455 assisted with release & promotion of stolen materials](https://reader034.vdocuments.mx/reader034/viewer/2022050716/5e2cf17aa5f5fe2d2d3b592d/html5/thumbnails/2.jpg)
Agenda
● Background
● Blue Team Learnings
● Questions
![Page 3: Non-Political Security Learnings from the Mueller Report...Unit 26165 spearphishing building malware mining bitcoin Unit 74455 assisted with release & promotion of stolen materials](https://reader034.vdocuments.mx/reader034/viewer/2022050716/5e2cf17aa5f5fe2d2d3b592d/html5/thumbnails/3.jpg)
About Me
● Arkadiy Tetelman (@arkadiyt)
● Head of Security at Lob
● Previously appsec at Airbnb, Twitter
● Fun fact
![Page 4: Non-Political Security Learnings from the Mueller Report...Unit 26165 spearphishing building malware mining bitcoin Unit 74455 assisted with release & promotion of stolen materials](https://reader034.vdocuments.mx/reader034/viewer/2022050716/5e2cf17aa5f5fe2d2d3b592d/html5/thumbnails/4.jpg)
Background
![Page 5: Non-Political Security Learnings from the Mueller Report...Unit 26165 spearphishing building malware mining bitcoin Unit 74455 assisted with release & promotion of stolen materials](https://reader034.vdocuments.mx/reader034/viewer/2022050716/5e2cf17aa5f5fe2d2d3b592d/html5/thumbnails/5.jpg)
Background
● 2 years 8 months
● Employed:
○ ~22 attorneys & paralegals
○ ~9 support staff
● Worked alongside:
○ ~40 FBI staff (agents, analysts, etc)
● Estimated cost: $25M
● Estimated gain: $48M
![Page 6: Non-Political Security Learnings from the Mueller Report...Unit 26165 spearphishing building malware mining bitcoin Unit 74455 assisted with release & promotion of stolen materials](https://reader034.vdocuments.mx/reader034/viewer/2022050716/5e2cf17aa5f5fe2d2d3b592d/html5/thumbnails/6.jpg)
Background
● Volume 1: Russian interference in the 2016 election
○ II. “Active Measures” social media campaign
○ III. Hacking/dumping campaign
● Volume 2: Administration obstruction of justice
![Page 7: Non-Political Security Learnings from the Mueller Report...Unit 26165 spearphishing building malware mining bitcoin Unit 74455 assisted with release & promotion of stolen materials](https://reader034.vdocuments.mx/reader034/viewer/2022050716/5e2cf17aa5f5fe2d2d3b592d/html5/thumbnails/7.jpg)
Blue Team Learnings
![Page 8: Non-Political Security Learnings from the Mueller Report...Unit 26165 spearphishing building malware mining bitcoin Unit 74455 assisted with release & promotion of stolen materials](https://reader034.vdocuments.mx/reader034/viewer/2022050716/5e2cf17aa5f5fe2d2d3b592d/html5/thumbnails/8.jpg)
Timeline
![Page 9: Non-Political Security Learnings from the Mueller Report...Unit 26165 spearphishing building malware mining bitcoin Unit 74455 assisted with release & promotion of stolen materials](https://reader034.vdocuments.mx/reader034/viewer/2022050716/5e2cf17aa5f5fe2d2d3b592d/html5/thumbnails/9.jpg)
![Page 10: Non-Political Security Learnings from the Mueller Report...Unit 26165 spearphishing building malware mining bitcoin Unit 74455 assisted with release & promotion of stolen materials](https://reader034.vdocuments.mx/reader034/viewer/2022050716/5e2cf17aa5f5fe2d2d3b592d/html5/thumbnails/10.jpg)
![Page 11: Non-Political Security Learnings from the Mueller Report...Unit 26165 spearphishing building malware mining bitcoin Unit 74455 assisted with release & promotion of stolen materials](https://reader034.vdocuments.mx/reader034/viewer/2022050716/5e2cf17aa5f5fe2d2d3b592d/html5/thumbnails/11.jpg)
![Page 12: Non-Political Security Learnings from the Mueller Report...Unit 26165 spearphishing building malware mining bitcoin Unit 74455 assisted with release & promotion of stolen materials](https://reader034.vdocuments.mx/reader034/viewer/2022050716/5e2cf17aa5f5fe2d2d3b592d/html5/thumbnails/12.jpg)
![Page 13: Non-Political Security Learnings from the Mueller Report...Unit 26165 spearphishing building malware mining bitcoin Unit 74455 assisted with release & promotion of stolen materials](https://reader034.vdocuments.mx/reader034/viewer/2022050716/5e2cf17aa5f5fe2d2d3b592d/html5/thumbnails/13.jpg)
![Page 14: Non-Political Security Learnings from the Mueller Report...Unit 26165 spearphishing building malware mining bitcoin Unit 74455 assisted with release & promotion of stolen materials](https://reader034.vdocuments.mx/reader034/viewer/2022050716/5e2cf17aa5f5fe2d2d3b592d/html5/thumbnails/14.jpg)
* https://www.nytimes.com/2016/12/13/us/politics/russia-hack-election-dnc.html
Mr. Delavan ... said that his bad advice was a result of a typo: He knew this was a
phishing attack, as the campaign was getting dozens of them. He said he had
meant to type that it was an “illegitimate” email, an error that he said has plagued
him ever since.
![Page 15: Non-Political Security Learnings from the Mueller Report...Unit 26165 spearphishing building malware mining bitcoin Unit 74455 assisted with release & promotion of stolen materials](https://reader034.vdocuments.mx/reader034/viewer/2022050716/5e2cf17aa5f5fe2d2d3b592d/html5/thumbnails/15.jpg)
Phished Accounts
● numerous email accounts of Clinton Campaign employees and volunteers
● junior volunteers assigned to the Clinton Campaign's advance team
● informal Clinton Campaign advisors
● a DNC employee
● 118 GRU officers stole tens of thousands of emails
![Page 16: Non-Political Security Learnings from the Mueller Report...Unit 26165 spearphishing building malware mining bitcoin Unit 74455 assisted with release & promotion of stolen materials](https://reader034.vdocuments.mx/reader034/viewer/2022050716/5e2cf17aa5f5fe2d2d3b592d/html5/thumbnails/16.jpg)
Recommendations
● Password manager / hardware (U2F, WebAuthn) 2fa tokens
○ https://krebsonsecurity.com/2018/07/google-security-keys-neutralized-employee-phishing
● Ingest & alert on DNS
● Scan incoming emails
● Ingest mail audit log events
● Phishing exercises?
● Assume phishing
![Page 17: Non-Political Security Learnings from the Mueller Report...Unit 26165 spearphishing building malware mining bitcoin Unit 74455 assisted with release & promotion of stolen materials](https://reader034.vdocuments.mx/reader034/viewer/2022050716/5e2cf17aa5f5fe2d2d3b592d/html5/thumbnails/17.jpg)
![Page 18: Non-Political Security Learnings from the Mueller Report...Unit 26165 spearphishing building malware mining bitcoin Unit 74455 assisted with release & promotion of stolen materials](https://reader034.vdocuments.mx/reader034/viewer/2022050716/5e2cf17aa5f5fe2d2d3b592d/html5/thumbnails/18.jpg)
![Page 19: Non-Political Security Learnings from the Mueller Report...Unit 26165 spearphishing building malware mining bitcoin Unit 74455 assisted with release & promotion of stolen materials](https://reader034.vdocuments.mx/reader034/viewer/2022050716/5e2cf17aa5f5fe2d2d3b592d/html5/thumbnails/19.jpg)
* Report Volume 1, p38
Over the ensuing weeks, the GRU traversed the network, identifying different
computers connected to the DCCC network. By stealing network access
credentials along the way (including those of IT administrators with unrestricted
access to the system), the GRU compromised approximately 29 different
computers on the DCCC network.
![Page 20: Non-Political Security Learnings from the Mueller Report...Unit 26165 spearphishing building malware mining bitcoin Unit 74455 assisted with release & promotion of stolen materials](https://reader034.vdocuments.mx/reader034/viewer/2022050716/5e2cf17aa5f5fe2d2d3b592d/html5/thumbnails/20.jpg)
![Page 21: Non-Political Security Learnings from the Mueller Report...Unit 26165 spearphishing building malware mining bitcoin Unit 74455 assisted with release & promotion of stolen materials](https://reader034.vdocuments.mx/reader034/viewer/2022050716/5e2cf17aa5f5fe2d2d3b592d/html5/thumbnails/21.jpg)
Democratic Party
![Page 22: Non-Political Security Learnings from the Mueller Report...Unit 26165 spearphishing building malware mining bitcoin Unit 74455 assisted with release & promotion of stolen materials](https://reader034.vdocuments.mx/reader034/viewer/2022050716/5e2cf17aa5f5fe2d2d3b592d/html5/thumbnails/22.jpg)
Democratic Party
![Page 23: Non-Political Security Learnings from the Mueller Report...Unit 26165 spearphishing building malware mining bitcoin Unit 74455 assisted with release & promotion of stolen materials](https://reader034.vdocuments.mx/reader034/viewer/2022050716/5e2cf17aa5f5fe2d2d3b592d/html5/thumbnails/23.jpg)
![Page 24: Non-Political Security Learnings from the Mueller Report...Unit 26165 spearphishing building malware mining bitcoin Unit 74455 assisted with release & promotion of stolen materials](https://reader034.vdocuments.mx/reader034/viewer/2022050716/5e2cf17aa5f5fe2d2d3b592d/html5/thumbnails/24.jpg)
![Page 25: Non-Political Security Learnings from the Mueller Report...Unit 26165 spearphishing building malware mining bitcoin Unit 74455 assisted with release & promotion of stolen materials](https://reader034.vdocuments.mx/reader034/viewer/2022050716/5e2cf17aa5f5fe2d2d3b592d/html5/thumbnails/25.jpg)
● “just” don’t allow 3rd party access into your network
Recommendations
![Page 26: Non-Political Security Learnings from the Mueller Report...Unit 26165 spearphishing building malware mining bitcoin Unit 74455 assisted with release & promotion of stolen materials](https://reader034.vdocuments.mx/reader034/viewer/2022050716/5e2cf17aa5f5fe2d2d3b592d/html5/thumbnails/26.jpg)
* Report Volume 1, p38
The VPN in this case had been created to give a small number of DCCC employees
access to certain databases housed on the DNC network.
![Page 27: Non-Political Security Learnings from the Mueller Report...Unit 26165 spearphishing building malware mining bitcoin Unit 74455 assisted with release & promotion of stolen materials](https://reader034.vdocuments.mx/reader034/viewer/2022050716/5e2cf17aa5f5fe2d2d3b592d/html5/thumbnails/27.jpg)
● “just” don’t allow 3rd party access into your network
● segregate access, practice least privilege, add monitoring
Recommendations
![Page 28: Non-Political Security Learnings from the Mueller Report...Unit 26165 spearphishing building malware mining bitcoin Unit 74455 assisted with release & promotion of stolen materials](https://reader034.vdocuments.mx/reader034/viewer/2022050716/5e2cf17aa5f5fe2d2d3b592d/html5/thumbnails/28.jpg)
![Page 29: Non-Political Security Learnings from the Mueller Report...Unit 26165 spearphishing building malware mining bitcoin Unit 74455 assisted with release & promotion of stolen materials](https://reader034.vdocuments.mx/reader034/viewer/2022050716/5e2cf17aa5f5fe2d2d3b592d/html5/thumbnails/29.jpg)
![Page 30: Non-Political Security Learnings from the Mueller Report...Unit 26165 spearphishing building malware mining bitcoin Unit 74455 assisted with release & promotion of stolen materials](https://reader034.vdocuments.mx/reader034/viewer/2022050716/5e2cf17aa5f5fe2d2d3b592d/html5/thumbnails/30.jpg)
![Page 31: Non-Political Security Learnings from the Mueller Report...Unit 26165 spearphishing building malware mining bitcoin Unit 74455 assisted with release & promotion of stolen materials](https://reader034.vdocuments.mx/reader034/viewer/2022050716/5e2cf17aa5f5fe2d2d3b592d/html5/thumbnails/31.jpg)
● X-Agent:
○ Log keystrokes, take screenshots, gather filesystem/OS info, etc
● X-Tunnel:
○ Create an encrypted tunnel for large-scale data transfers
● Mimikatz
● rar.exe
Installed Tools
![Page 32: Non-Political Security Learnings from the Mueller Report...Unit 26165 spearphishing building malware mining bitcoin Unit 74455 assisted with release & promotion of stolen materials](https://reader034.vdocuments.mx/reader034/viewer/2022050716/5e2cf17aa5f5fe2d2d3b592d/html5/thumbnails/32.jpg)
● keylog sessions containing passwords, internal communications, banking
information, sensitive PII
● internal strategy documents, fundraising data, opposition research, emails
from work inboxes
● exfiltrated > 70GB in election documents
Stolen Data
![Page 33: Non-Political Security Learnings from the Mueller Report...Unit 26165 spearphishing building malware mining bitcoin Unit 74455 assisted with release & promotion of stolen materials](https://reader034.vdocuments.mx/reader034/viewer/2022050716/5e2cf17aa5f5fe2d2d3b592d/html5/thumbnails/33.jpg)
● Unit 26165
○ spearphishing
○ building malware
○ mining bitcoin
● Unit 74455
○ assisted with release & promotion of stolen materials
○ “Officers from Unit 74455 separately hacked computers belonging to
state boards of elections, secretaries of state, and U.S. companies that
supplied software and other technology related to the administration of
U.S. elections.” (Report Volume 1, p37)
Structure of GRU
![Page 34: Non-Political Security Learnings from the Mueller Report...Unit 26165 spearphishing building malware mining bitcoin Unit 74455 assisted with release & promotion of stolen materials](https://reader034.vdocuments.mx/reader034/viewer/2022050716/5e2cf17aa5f5fe2d2d3b592d/html5/thumbnails/34.jpg)
Exfiltration
DNC/DCCC “Middle Servers” “AMS Panel” GRU
![Page 35: Non-Political Security Learnings from the Mueller Report...Unit 26165 spearphishing building malware mining bitcoin Unit 74455 assisted with release & promotion of stolen materials](https://reader034.vdocuments.mx/reader034/viewer/2022050716/5e2cf17aa5f5fe2d2d3b592d/html5/thumbnails/35.jpg)
● alert on mimikatz
● endpoint monitoring
● network segregation
● IDS?
Recommendations
![Page 36: Non-Political Security Learnings from the Mueller Report...Unit 26165 spearphishing building malware mining bitcoin Unit 74455 assisted with release & promotion of stolen materials](https://reader034.vdocuments.mx/reader034/viewer/2022050716/5e2cf17aa5f5fe2d2d3b592d/html5/thumbnails/36.jpg)
● attack vectors: spearphishing, lateral movement via overprivileged
permissions & mimikatz
● defense in depth: 2fa, endpoint monitoring, least privilege, etc
● few organizations can defend against a nation state
Blue Team Conclusions
![Page 37: Non-Political Security Learnings from the Mueller Report...Unit 26165 spearphishing building malware mining bitcoin Unit 74455 assisted with release & promotion of stolen materials](https://reader034.vdocuments.mx/reader034/viewer/2022050716/5e2cf17aa5f5fe2d2d3b592d/html5/thumbnails/37.jpg)
QuestionsArkadiy Tetelman (@arkadiyt)