Red Sky Weekly: Did Russia attempt to sway the Ukrainian Presidential Election?

Wapack Labs, under a project named "8-ball" maintains watch over cyber activities between Russia and the Ukraine in an effort to warn Red Sky Alliance and the FS-ISAC members of impending threats to their businesses and interests in the area.  We've authored reports of Telephony Denial of Service (TDoS) attacks and details involving the CyberBerkut group and their tools. 

This week we published a priority intelligence report that demonstrated the ability of the Russian and Ukrainian governments to develop and deploy cyber operations (on the Russian side, aimed at interfering with the election of the next Ukrainian president; on the Ukrainian side, the ability to identify, defend, and arrest). We believe the actions taken by the Russian attackers may be indicative of actions that could be used against other organizations, and identifying lessons learned may help them better understand new threats and defend against future attacks. 

The abbreviated version of the story goes like this...

We all know how television stations broadcast election results throughout the evening, tallying votes, predicting winners. The presidential election in the Ukraine was no different. Russian television (Channel One) broadcasted updates through the evening. Unfortunately, the updates were being taken from a feed from a compromised Ukrainian election commission system.

On May 25, 2014, Russian state TV Channel One reported that a controversial Ukrainian nationalist and leader of the Right Sector, Dmytro Yarosh, was leading in the elections with 37 percent of the vote, when all other sources were showing another moderate candidate’s clear victory and Dmytro Yarosh's results under 1 percent (see Figure 1).




Figure 1: Russian Channel One television coverage of fake election results 

Ukrainian media sources stated that 40 minutes before, the Russian media reported the fake results, Ukrainian cyber security forces neutralized a virus in the Ukrainian Central Election Commission system. The virus was supposedly placed to influence the system that reported election results. This resulted in a reporting of 37% of the vote for Dmytro Yarosh. Channel One was thought to be reporting on activity received from a legitimate Ukrainian Central Election Commission system –a possible (but unconfirmed) unwitting participant in an attempt to discredit the Ukrainian election.

The Security Service of Ukraine reported that it had arrested a group of hackers in Kiev who were working to compromise the electoral system. As reported by the Kyvipost, according to Victor Yagun, Deputy Head of the Security Service of Ukraine (also known as the SBU), “A group of hackers has been arrested in Kiev with specialized equipment intended to rig the results of Ukraine’s presidential election.” This article [in Russian] offered deeper details on the arrest and hacking attacks during the elections.

Additional reporting suggests multiple coordinated tactics used to sway the election. Telephone Denial of Service (TDoS) attacks were used in an attempt to block phones of the electoral commissions Another report suggested redirection of traffic from the electoral commission to a different IP address. A DDoS was run from Ukrainian servers operated by a Russian citizen. And Russian botnets were believed use to deny access to results other than those being shown on Russian Channel One. 

We provide intelligence and analysis to a lot of companies and organizations. Much of it is retrospective in nature, but some of it is also forward looking. One of the best ways to understand possible future actions is to understand how cyber is used during conflict. And there is no better time to learn how government sponsored cyber actions will unfold than by watching the activities between Russia and Ukraine.

Did Russia attempt to sway the Ukrainian presidential election? You make the call. Certainly the increase in cyber activity suggests an attempt to influence. Regardless, at the strategic level Wapack Labs "Project 8-ball" is offering continued Russia/Ukraine situational awareness to Red Sky Alliance members and others. At a tactical level, we've published detailed workings of tools used and indicators/rules that may be placed in intrusion detection systems and other layers of their defense in depth to help protect our members and customers who are operating in the area.

Rick will be posting next week. I'm taking a week off, flyfishing with an old friend in what we're calling "Advanced Persistent Trout". I'm placing my email on 'Out of Office' today. If you need to contact us, please contact Jim McKee or Rick Gamache for membership questions.

Have a great week! 

Jeff

Red Sky Weekly: Happy Memorial Day!

http://www.daviswilliamsfamilytree.com/?page_id=974

I wrote a blog this morning, but after reading it and re-reading it, I just didn't like it. So I thought I'd keep it simple. 

Thank you to all who've served. I am a vet. Many of my friends are vets. Most of the Red Sky Alliance and Wapack Labs team are either vets or currently serving as reservists. Enjoy the long weekend and please, in between activities marking the official beginning of summer, take a moment to remember those who are serving, have served, those who've stopped at Walter Reed on their way home, and those who've paid the ultimate price. At the same time, don't forget the families. They've supported us on deployment, and probably much harder, when we returned. 

Happy Memorial Day!

From the teams at Red Sky Alliance and Wapack Labs

Red Sky Weekly: Uptick in Dark Comet RAT?

Indicator aging is a a topic that comes up often in conversations with folks who're interested in knowing how we handle old indicators. And in most cases, I have stories of VPN drivers, and newcomers pinning on their first oh sh*t badge who get hit first with the old stuff. This week, we had a great example of why old indicators must be kept up to date with a story of an old RAT being used in a slightly different way... Dark Comet, labeled by Symantec as "backdoor. breut" had been credited by CNN for its use by the Syrian regime against those who opposed them.

This week, Dark Comet RAT appeared on our radar. And although available for years, Dark Comet remains popular among hackers. Recent activity observed by our lab indicates an uptick in the use of this tool and it’s not showing any signs of slowing down... and sporting a new twist --Mobile Command and Control (C2).

Geolocation of DarkComet RAT Mobile C2 nodes

In a new edition, analysts at Wapack Labs observed the use of what we are calling "Mobile C2s". A couple recent variants leveraged No-IP domains that showed historical resolutions to dozens of IPs. Upon closer inspection it was revealed that the majority of them were mobile service providers hosts. This would suggest that the attackers are running the C2 controller on a laptop with mobile broadband and a No-IP client. During our research we also discovered a number of DynDNS clients for mobile apps however to our knowledge there are no Dark Comet controllers compatible with mobile devices. Either way, this may be signaling a new trend.

While it may represent a convenient option for the attacker to have a mobile C2, it does offer some interesting data points for tracking. Using historical resolutions for one C2 we identified 26 separate mobile provider hosts with resolutions starting from late February to present. The majority of the hosts were geo-located within a two-mile radius in London, however on 11 April we see a hit for Stevenage, which is an hour north of the primary cluster.

Despite the relative anonymity of using Mobile infrastructure for C2 it does clearly allow for higher confidence tracking of actor movements and activity. Wapack Labs is keeping a close eye on these networks and the continued use of this TTP.

BT BT

For me (written by Rick), the thing I learned this week is I learn something every week, not matter how challenging the week may have been, even if I felt like I've not accomplished much, if I'm not learning something, I'm static. 

The point I'm making is really simple, we're always busy doing the multitude of tasks we have to fit into an ...ahem...eight hour day but if you're not keeping your eyes on what's coming around the corner, you may walk smack dab into someone and break your nose.  We talk about the "wolves closest to sled", which is appropriate when your spend is limited you're often just worried about today, the hear-and-now, but what about the wolves that lurk in the darkness, the ones that are just beyond your vision waiting for their opportunity?

"White Fang" author, Jack London, once said, "The proper function of man is to live, not to exist."  The function of security in any organization should be not to get through the latest crisis, fending off the wolves on your sled, but also be on the hunt for the wolves you've yet to discover that are hunting you.  How do you do that?  Intelligence.

BT BT

I'm keeping this one short. I completed a whirlwind trip to St. Louis and San Antonio about two in the morning, so I'd asked the team to author the blog before I got back. So until next week, I've got a wet hayfield to mow when the rain finally stops.

Need intelligence? Drop us a note.

So until next time,
Have a great week!
Jeff

Red Sky Weekly: Energetic Bear, Cyber-burkut

We turn our attention this week to cyber activities originating from Russia.

Energetic Bear:

In September 2013, both CrowdStrike and Cisco published findings of watering-hole attacks believed targeting the energy sector.  Crowdstrike named this actor set "Energetic Bear". According to CrowdStrike, "ENERGETIC BEAR is an adversary group with a nexus to the Russian Federation that conducts intelligence collection operations against a variety of global victims with a primary focus on the energy sector."

While apparently focused on the energy sector, other victimized industry sectors were also called out in the CrowdStrike report.

• European government;

• European, U.S., and Asian academia

• European, U.S., and Middle Eastern manufacturing and construction industries

• European defense contractors

• European energy providers

• U.S. healthcare providers

• European IT providers

• European precision machinery tool manufacturers; and

• Research institutes.

This week Wapack Labs released Fusion Report 14-014 on Energetic Bear. State sponsorship of this group is unknown, so the activity is being classified as "APT-like" tactics techniques and procedures (TTPs). Wapack Labs identified and analyzed dozens of new and legacy first-stage (meaning, tools used in the first compromise) and second stage backdoors associated with this activity as well as a portion of compromised infrastructure. As part of our report, we were able to identify new tools and targets, and provide tailored mitigations for the new Energetic Bear TTPs.

The energy sector is known to be widely targeted. Not just in the US, but around the world. And the ability to steal intellectual property from others means less money spent on research and development of new, more efficient means of generating or distributing energy, less money spent on finding new places to drill for oil, and potentially in more harsh scenarios, the ability to divert, disrupt, or destroy the movement of energy. Every business plan, every project plan, and every piece of analysis that's used to derive how investments will be made exist in investment firms. Companies needing money tell investment firm researchers everything --and oil and gas companies are no different. The movement toward targeting investment firms associated with oil and gas should come as no surprise, but the use of new tools targeting them, is indeed believed new.

Cyber-burkut:

Cyber-burkut is not new. It's been reported many times in the past. But in this case, Wapack Labs analysts believe the cyber-burkut may be a low level information operation campaign targeting the citizens of the Ukraine. And why not? Cyber is the perfect vehicle to affect the opinions of a LOT of people, and such a simple, grass roots effort can be not only effective, but inexpensive.  

Staging for a new round of distributed denial of service (DDOS) activities appears to be taking place. "Cyber-berkut" is a hactivist movement much like others. Protesters are being urged to download an application to their computers. The application then makes their computer part of the network used to launch denial of service attacks against government and corporate websites. The website associated with the activity leverages patriotism in Russia by asking everyday people to take part in a cyber war toward the Ukraine. For several reasons, Wapack Labs also believes (medium confidence) this activity to be state sponsored. "Burkut" for reference is the name for a special police unit inside the Ukraine. The name has now been adopted by pro-Russian police forces in Crimea.

BT BT

This is a slightly different format than you're used to from me, but I thought it would be good to report 'meat' for a while instead of Stutzman ranting about information sharing, the need for intelligence, and what's happening in the world.

And as mentioned before, Wapack Labs is the analytic engine behind Red Sky Alliance. Crowdsourcing, coupled with a dedicated team of folks in the lab are there so when you ask a question, and someone else doesn't already know the answer (which is rare), we have a group of folks dedicated to doing the analysis and answering the questions. In doing so, we've become really good at it.. and now offer these intelligence and analysis services as an service. We're not incident responders. We refer those who need services to partners who provide them --Red Sky Alliance members, whom we believe to be trusted, and are peer reviewed in the portal.

Need intel and analysis? Call us. Want it in a collaborative portal? We have that. Just want a subscription? We can do that too. Tell us what you need. We'll write it, and deliver it in just about any form you need it. We're heading toward STIX as we speak, cleaning up internal tagging before converting it all over, but even now, our MD5s are converted to STIX and we're looking at hosting solutions for new push/pull mechanisms. Stay tuned. We've got big things happening!

Want to know more about Wapack Labs? Drop us a note, or add your name to our list. We'll keep you up to date!

Until next time,

Have a great week!

Jeff

Red Sky Weekly: Pirpi RAT

Last week (April 26th), FireEye reported a new Internet Explorer (IE) zero-day exploit used in targeted attacks. A "zero-day" is a new exploit or vulnerability that has never been seen in the wild before; normally referring to the first discovery.

According to Kaspersky bloggers, during the week of the 20th, attackers sent well crafted emails (well crafted means they often times look very normal, like they might come from your boss or a customer) to specific, high value targets. These targets generally have trust relationships with someone or something that has information related to targeting objectives assigned to the group performing the attacks. In this case, the idea was to deliver a newer version of an old remote access trojan (RAT) named the Pirpi RAT. Once installed, the Pirpi RAT can be used to take full control of a user's browser, and in turn, their system, and larger network (where attackers may remove or destroy information as desired).

The vulnerability identified by FireEye affects Internet Explorer versions 6 through 11, but according to FireEye, the attacks appear to be targeting versions 9 through 11. And to make matters worse, the zero-day bypasses two Windows security measures -Address Space Layout Randomization (ASLR) and Data Execution Prevention (DEP).[i] (Address Space Layout Randomization (ASLR) randomizes the memory locations used by system files and other programs, making it much harder for an attacker to correctly guess the memory location of a given process. Data Execution Prevention (DEP) is a Windows feature that enables the system to mark one or more pages of memory as non-executable, disallowing their ability to run. Microsoft announced Security Advisory 2963983 the same day.[ii] 

This week's Cyber Threat Analysis and Intelligence (CTA&I) report provided analysis, situational awareness, mitigation strategies, for two variants of Pirpi malware, as well as possible attribution for its use. Wapack Labs analyzed, and published to our members, analysis of two primary strains of the Pirpi malware with some interesting findings:

• The first versions of Pirpi appeared in 2008. 
• Several domains were observed as remote control channels (command and control, or C2) used with the first variants. These domains appear to currently be sink-holed, but a Domain Tools “Whois History” report revealed the original registrants. Domains don't always make the best indicators when chasing compromise (because they change often), but the meta data associated with them rarely does. What's meta data? Names, phone numbers, addresses, etc., associated with the person or organization that registered the domains. These make great indicators in identifying new bad actors or actions, and Wapack Labs has a great internally built tool to help us identify patterns in the registrant meta data. We call it "WhoisRecon". In this case, there is a lot of history --and those who don't learn from it, may be doomed to repeat it. Four early domains used by Purpi for C2 were identified.
• A well known Advanced Persistent Threat (APT) group, is believed responsible for leveraging this recent exploit. The group today leverages several back doors including older versions of Pirpi.[iii] 
• One email address, the original registrant of three of these four early domains is believed linked to over 140 others. The email address was reported in an Infosec forum operated by a Chinese information security company in September 2009. The email's connection with the attacks is unknown, but certainly enough information is available to suggest malintent. 

BT BT 

This was a simplified snippet of deeper analysis that we provide to our members and customers on a weekly basis. This week was busy and I thought this might be interesting. The reports, when possible, provide not only the analysis of the activity but also snort rules -for your intrusion prevention systems, yara rules for are used to check files for badness (a great overview can be found here), and indicators are currently presented in Lockheed's Kill Chain format. 

Red Sky Alliance and Wapack Labs are one of the few places where users can come in, get up to speed, and get no-kidding analysis and protection strategies for advanced threats... and everyone has them. Last week I wrapped my victim notifications with a call to a four person company. While we don't do incident response, we do offer victim notifications and referrals to trusted partners. In this case, we had a local partner with deep experience in exactly the same industry as the victim. 

As an added note, I had the opportunity to participate in the US Cyber Crime Conference this week. While no longer associated with DoD, the conference was excellent. A much smaller crowd turned out.. I think about 600 or so, but it was heavily commercial participation, with ten educational tracks, and as usual, Jim Christy and the folks at Tech Forums did a hell of a job. 

Ok, going for a run before it rains.

Until next time,
Have a great week!
Jeff

[i] http://www.fireeye.com/blog/uncategorized/2014/04/new-zero-day-exploit-targeting-internet-explorer-versions-9-through-11-identified-in-targeted-attacks.html

[ii] https://technet.microsoft.com/en-US/library/security/2963983

[iii] http://www.fireeye.com/blog/uncategorized/2014/04/new-zero-day-exploit-targeting-internet-explorer-versions-9-through-11-identified-in-targeted-attacks.html

Red Sky Weekly - Gh0st RAT

"Ghost Rat (or Gh0st RAT) is a Trojan horse "Remote Access Tool" used on Windows platforms, and has been used to hack into some of the most sensitive computer networks on Earth. It is a cyber spying computer program." While I don't normally quote WikiPedia, their description of Gh0st RAT is actually pretty simple, but pretty good:

The GhostNet system disseminates malware to selected recipients via computer code attached to stolen emails and addresses, thereby expanding the network by allowing more computers to be infected. According to the Infowar Monitor (IWM), "GhostNet" infection causes computers to download a Trojan -"Gh0st Rat" that allows attackers to gain complete, real-time control of the victim computer. The computer can be controlled or inspected by its hackers, and even has the ability to turn on the camera and audio-recording functions of an infected computer that has such capabilities, enabling monitors to see and hear what goes on in a room.

In fact, Gh0st RAT is rarely used alone. It is indeed a remote access and administration tool, but in most cases, the RAT is used to carry out other activities in the victim computer or network. 

This week we published our next Fusion Report, FR14-013 dealt with another variant of Gh0st RAT...  We're not the first to report on Gh0st, nor do I suspect we'll be the last. What we do believe however, was the use of Gh0st this time can be attributed to a group known to be dangerous, very active, and targeting very specific types of technologies. 

In Mid-April 2014, a Red Sky member received two phishing emails originating from the same sender.

• One email contained a link to an executable file. That executable, upon analysis, was identified as a variant of the Gh0st RAT malware. 
• The second email contained a download link to malware that was identified as a Microsoft Outlook credential stealer.

Remember when I said Gh0st is often times used in conjunction with other tools? In this case, the attackers were looking for credentials, probably hoping the credentials captured from Outlook would also give them access to the network's front door --the users access credentials. At that point, without good behavioral analysis techniques, detection becomes really hard, really fast.

One of the things we talk about often is the idea of being able to assist a security team with fast classification of activities hitting the sensors and the security management consoles. This, with the vast amount of data coming at a typical defender, is also really (REALLY) hard. How exactly does a security team quickly assess the difference between 'commodity', 'systemic' and 'targeted' events? For dictionary purposes.. 

• Commodity issues are those that a simple tweak in existing defenses will take care of.. a new virus, a misconfiguration, etc. 
• Systemic issues are those that might take down your company -or worse, an industry. Interconnected systems with few controls, central services to large scale operations --with built in credentials or trusts could be considered systemic. Help desk systems where every help desk technician has credentials to every computer; hard coded accounts in databases that connect to each other. These issues are usually a bit harder to identify, but once identified, controls can be placed to manage risk and threat. 
• Targeted issues are a little different. Where the first two require largely mechanical mitigation processes, targeted attacks require users step into the role of "security chess". The game is on, and it's not going to stop. Attackers are skilled. In fact, one guy posted to a group the warning that targeted attackers (that hit his environment) mean business. They want something, and they bring the A-team. You need to be ready.

In this case, this group's use of Gh0st was clearly targeted. How can we assess that?

• The Gh0st RAT variant that we analyzed, had few known open source variants
• It leverages dynamic C2 domains previously identified in discussions within the Red Sky portal.  
• The initial phish 'bait' was clearly used to social engineering of the intended victims of the high tech company that tipped off the community.
• The products manufactured by this company are known coveted technologies by others in the world (believed associated with the attackers)
• Last, this group rarely operates without either financial gain or espionage motivations (probably both)

In the end, our reporting analyzed and detailed the infrastructure associated with the RAT, malware details and to wrap it up, we provided the Red Sky members with mitigation information - a snort rule, a Yara rule, full directory-structure artifacts that users can search for, and a couple of pages on indicators in LM's kill chain format. 

BT BT

In the lab, we began sink-holing operations on a couple of new locations. Within the first day, we collected information suggesting at least four companies had been compromised. The group? The same group associated with Gh0st RAT mentioned above. In two of the victims identified, the RATs used to steal information from these networks appear to have been placed as early as 2009. Three of the four identified were actively sending and receiving information when we identified them. Industries? One company manufactures airplanes and aerospace technologies. Another is a small engineering firm that manufactures propulsion technologies for rockets and spacecraft. The third, an energy company in Asia. The fourth? Apparently we stumbled onto someone else's research network. Sorry guys! ;)

So, we issued three victim notifications. One company never responded, but I was amazed to see how fast the others did. In both cases, we gave them information they hadn't previously known. In both CISOs reacted nearly immediately. These guys were on the ball, and grateful for the heads up. 

The information sharing construct works. Red Sky Alliance isn't the only group out there, and it looks like at least some companies are getting the message. In fact, a Ponema Study on Information Sharing (released last week) polled 701 companies. 71% of them believed (at least according to the survey) that participating in threat intelligence forums (like Red Sky Alliance) improves the security posture of their organizations.

It's apparent, and not a secret, that there have to be better ways to share information. Automated means, faster turn-around, simplified exchange protocols and taxonomies, trust (and anti-trust), and competitive concerns all seemingly get in the way, but for those who love this stuff, they REALLY love it. The rest? Well, I'm reminded of my first junior high school dance where the boys stood on one side of the gym and the girls on the other. Only the boldest dared actually dance. At some point in the future, we'll all be on the floor, but don't wait to long. A small company with high value tech doesn't stand a chance on their own. 

Drop us a note. You may not want to participate in the Red Sky Portal, but it'll be there if you need it. When you (or your lawyers) finally get up the courage to actually participate and dance, there'll be others in the portal waiting to help, and if you don't have the ability to implement the 'help' yourself, we're happy to make recommendations.

Until next time,
Have a great week!
Jeff