Red Sky Weekly: Did Russia attempt to sway the Ukrainian Presidential Election?

Wapack Labs, under a project named "8-ball" maintains watch over cyber activities between Russia and the Ukraine in an effort to warn Red Sky Alliance and the FS-ISAC members of impending threats to their businesses and interests in the area.  We've authored reports of Telephony Denial of Service (TDoS) attacks and details involving the CyberBerkut group and their tools. 

This week we published a priority intelligence report that demonstrated the ability of the Russian and Ukrainian governments to develop and deploy cyber operations (on the Russian side, aimed at interfering with the election of the next Ukrainian president; on the Ukrainian side, the ability to identify, defend, and arrest). We believe the actions taken by the Russian attackers may be indicative of actions that could be used against other organizations, and identifying lessons learned may help them better understand new threats and defend against future attacks. 

The abbreviated version of the story goes like this...

We all know how television stations broadcast election results throughout the evening, tallying votes, predicting winners. The presidential election in the Ukraine was no different. Russian television (Channel One) broadcasted updates through the evening. Unfortunately, the updates were being taken from a feed from a compromised Ukrainian election commission system.

On May 25, 2014, Russian state TV Channel One reported that a controversial Ukrainian nationalist and leader of the Right Sector, Dmytro Yarosh, was leading in the elections with 37 percent of the vote, when all other sources were showing another moderate candidate’s clear victory and Dmytro Yarosh's results under 1 percent (see Figure 1).




Figure 1: Russian Channel One television coverage of fake election results 

Ukrainian media sources stated that 40 minutes before, the Russian media reported the fake results, Ukrainian cyber security forces neutralized a virus in the Ukrainian Central Election Commission system. The virus was supposedly placed to influence the system that reported election results. This resulted in a reporting of 37% of the vote for Dmytro Yarosh. Channel One was thought to be reporting on activity received from a legitimate Ukrainian Central Election Commission system –a possible (but unconfirmed) unwitting participant in an attempt to discredit the Ukrainian election.

The Security Service of Ukraine reported that it had arrested a group of hackers in Kiev who were working to compromise the electoral system. As reported by the Kyvipost, according to Victor Yagun, Deputy Head of the Security Service of Ukraine (also known as the SBU), “A group of hackers has been arrested in Kiev with specialized equipment intended to rig the results of Ukraine’s presidential election.” This article [in Russian] offered deeper details on the arrest and hacking attacks during the elections.

Additional reporting suggests multiple coordinated tactics used to sway the election. Telephone Denial of Service (TDoS) attacks were used in an attempt to block phones of the electoral commissions Another report suggested redirection of traffic from the electoral commission to a different IP address. A DDoS was run from Ukrainian servers operated by a Russian citizen. And Russian botnets were believed use to deny access to results other than those being shown on Russian Channel One. 

We provide intelligence and analysis to a lot of companies and organizations. Much of it is retrospective in nature, but some of it is also forward looking. One of the best ways to understand possible future actions is to understand how cyber is used during conflict. And there is no better time to learn how government sponsored cyber actions will unfold than by watching the activities between Russia and Ukraine.

Did Russia attempt to sway the Ukrainian presidential election? You make the call. Certainly the increase in cyber activity suggests an attempt to influence. Regardless, at the strategic level Wapack Labs "Project 8-ball" is offering continued Russia/Ukraine situational awareness to Red Sky Alliance members and others. At a tactical level, we've published detailed workings of tools used and indicators/rules that may be placed in intrusion detection systems and other layers of their defense in depth to help protect our members and customers who are operating in the area.

Rick will be posting next week. I'm taking a week off, flyfishing with an old friend in what we're calling "Advanced Persistent Trout". I'm placing my email on 'Out of Office' today. If you need to contact us, please contact Jim McKee or Rick Gamache for membership questions.

Have a great week! 

Jeff

Red Sky Weekly: Happy Memorial Day!

http://www.daviswilliamsfamilytree.com/?page_id=974

I wrote a blog this morning, but after reading it and re-reading it, I just didn't like it. So I thought I'd keep it simple. 

Thank you to all who've served. I am a vet. Many of my friends are vets. Most of the Red Sky Alliance and Wapack Labs team are either vets or currently serving as reservists. Enjoy the long weekend and please, in between activities marking the official beginning of summer, take a moment to remember those who are serving, have served, those who've stopped at Walter Reed on their way home, and those who've paid the ultimate price. At the same time, don't forget the families. They've supported us on deployment, and probably much harder, when we returned. 

Happy Memorial Day!

From the teams at Red Sky Alliance and Wapack Labs

Red Sky Weekly: Uptick in Dark Comet RAT?

Indicator aging is a a topic that comes up often in conversations with folks who're interested in knowing how we handle old indicators. And in most cases, I have stories of VPN drivers, and newcomers pinning on their first oh sh*t badge who get hit first with the old stuff. This week, we had a great example of why old indicators must be kept up to date with a story of an old RAT being used in a slightly different way... Dark Comet, labeled by Symantec as "backdoor. breut" had been credited by CNN for its use by the Syrian regime against those who opposed them.

This week, Dark Comet RAT appeared on our radar. And although available for years, Dark Comet remains popular among hackers. Recent activity observed by our lab indicates an uptick in the use of this tool and it’s not showing any signs of slowing down... and sporting a new twist --Mobile Command and Control (C2).

Geolocation of DarkComet RAT Mobile C2 nodes

In a new edition, analysts at Wapack Labs observed the use of what we are calling "Mobile C2s". A couple recent variants leveraged No-IP domains that showed historical resolutions to dozens of IPs. Upon closer inspection it was revealed that the majority of them were mobile service providers hosts. This would suggest that the attackers are running the C2 controller on a laptop with mobile broadband and a No-IP client. During our research we also discovered a number of DynDNS clients for mobile apps however to our knowledge there are no Dark Comet controllers compatible with mobile devices. Either way, this may be signaling a new trend.

While it may represent a convenient option for the attacker to have a mobile C2, it does offer some interesting data points for tracking. Using historical resolutions for one C2 we identified 26 separate mobile provider hosts with resolutions starting from late February to present. The majority of the hosts were geo-located within a two-mile radius in London, however on 11 April we see a hit for Stevenage, which is an hour north of the primary cluster.

Despite the relative anonymity of using Mobile infrastructure for C2 it does clearly allow for higher confidence tracking of actor movements and activity. Wapack Labs is keeping a close eye on these networks and the continued use of this TTP.

BT BT

For me (written by Rick), the thing I learned this week is I learn something every week, not matter how challenging the week may have been, even if I felt like I've not accomplished much, if I'm not learning something, I'm static. 

The point I'm making is really simple, we're always busy doing the multitude of tasks we have to fit into an ...ahem...eight hour day but if you're not keeping your eyes on what's coming around the corner, you may walk smack dab into someone and break your nose.  We talk about the "wolves closest to sled", which is appropriate when your spend is limited you're often just worried about today, the hear-and-now, but what about the wolves that lurk in the darkness, the ones that are just beyond your vision waiting for their opportunity?

"White Fang" author, Jack London, once said, "The proper function of man is to live, not to exist."  The function of security in any organization should be not to get through the latest crisis, fending off the wolves on your sled, but also be on the hunt for the wolves you've yet to discover that are hunting you.  How do you do that?  Intelligence.

BT BT

I'm keeping this one short. I completed a whirlwind trip to St. Louis and San Antonio about two in the morning, so I'd asked the team to author the blog before I got back. So until next week, I've got a wet hayfield to mow when the rain finally stops.

Need intelligence? Drop us a note.

So until next time,
Have a great week!
Jeff

Red Sky Weekly: Energetic Bear, Cyber-burkut

We turn our attention this week to cyber activities originating from Russia.

Energetic Bear:

In September 2013, both CrowdStrike and Cisco published findings of watering-hole attacks believed targeting the energy sector.  Crowdstrike named this actor set "Energetic Bear". According to CrowdStrike, "ENERGETIC BEAR is an adversary group with a nexus to the Russian Federation that conducts intelligence collection operations against a variety of global victims with a primary focus on the energy sector."

While apparently focused on the energy sector, other victimized industry sectors were also called out in the CrowdStrike report.

• European government;

• European, U.S., and Asian academia

• European, U.S., and Middle Eastern manufacturing and construction industries

• European defense contractors

• European energy providers

• U.S. healthcare providers

• European IT providers

• European precision machinery tool manufacturers; and

• Research institutes.

This week Wapack Labs released Fusion Report 14-014 on Energetic Bear. State sponsorship of this group is unknown, so the activity is being classified as "APT-like" tactics techniques and procedures (TTPs). Wapack Labs identified and analyzed dozens of new and legacy first-stage (meaning, tools used in the first compromise) and second stage backdoors associated with this activity as well as a portion of compromised infrastructure. As part of our report, we were able to identify new tools and targets, and provide tailored mitigations for the new Energetic Bear TTPs.

The energy sector is known to be widely targeted. Not just in the US, but around the world. And the ability to steal intellectual property from others means less money spent on research and development of new, more efficient means of generating or distributing energy, less money spent on finding new places to drill for oil, and potentially in more harsh scenarios, the ability to divert, disrupt, or destroy the movement of energy. Every business plan, every project plan, and every piece of analysis that's used to derive how investments will be made exist in investment firms. Companies needing money tell investment firm researchers everything --and oil and gas companies are no different. The movement toward targeting investment firms associated with oil and gas should come as no surprise, but the use of new tools targeting them, is indeed believed new.

Cyber-burkut:

Cyber-burkut is not new. It's been reported many times in the past. But in this case, Wapack Labs analysts believe the cyber-burkut may be a low level information operation campaign targeting the citizens of the Ukraine. And why not? Cyber is the perfect vehicle to affect the opinions of a LOT of people, and such a simple, grass roots effort can be not only effective, but inexpensive.  

Staging for a new round of distributed denial of service (DDOS) activities appears to be taking place. "Cyber-berkut" is a hactivist movement much like others. Protesters are being urged to download an application to their computers. The application then makes their computer part of the network used to launch denial of service attacks against government and corporate websites. The website associated with the activity leverages patriotism in Russia by asking everyday people to take part in a cyber war toward the Ukraine. For several reasons, Wapack Labs also believes (medium confidence) this activity to be state sponsored. "Burkut" for reference is the name for a special police unit inside the Ukraine. The name has now been adopted by pro-Russian police forces in Crimea.

BT BT

This is a slightly different format than you're used to from me, but I thought it would be good to report 'meat' for a while instead of Stutzman ranting about information sharing, the need for intelligence, and what's happening in the world.

And as mentioned before, Wapack Labs is the analytic engine behind Red Sky Alliance. Crowdsourcing, coupled with a dedicated team of folks in the lab are there so when you ask a question, and someone else doesn't already know the answer (which is rare), we have a group of folks dedicated to doing the analysis and answering the questions. In doing so, we've become really good at it.. and now offer these intelligence and analysis services as an service. We're not incident responders. We refer those who need services to partners who provide them --Red Sky Alliance members, whom we believe to be trusted, and are peer reviewed in the portal.

Need intel and analysis? Call us. Want it in a collaborative portal? We have that. Just want a subscription? We can do that too. Tell us what you need. We'll write it, and deliver it in just about any form you need it. We're heading toward STIX as we speak, cleaning up internal tagging before converting it all over, but even now, our MD5s are converted to STIX and we're looking at hosting solutions for new push/pull mechanisms. Stay tuned. We've got big things happening!

Want to know more about Wapack Labs? Drop us a note, or add your name to our list. We'll keep you up to date!

Until next time,

Have a great week!

Jeff

Red Sky Weekly: Pirpi RAT

Last week (April 26th), FireEye reported a new Internet Explorer (IE) zero-day exploit used in targeted attacks. A "zero-day" is a new exploit or vulnerability that has never been seen in the wild before; normally referring to the first discovery.

According to Kaspersky bloggers, during the week of the 20th, attackers sent well crafted emails (well crafted means they often times look very normal, like they might come from your boss or a customer) to specific, high value targets. These targets generally have trust relationships with someone or something that has information related to targeting objectives assigned to the group performing the attacks. In this case, the idea was to deliver a newer version of an old remote access trojan (RAT) named the Pirpi RAT. Once installed, the Pirpi RAT can be used to take full control of a user's browser, and in turn, their system, and larger network (where attackers may remove or destroy information as desired).

The vulnerability identified by FireEye affects Internet Explorer versions 6 through 11, but according to FireEye, the attacks appear to be targeting versions 9 through 11. And to make matters worse, the zero-day bypasses two Windows security measures -Address Space Layout Randomization (ASLR) and Data Execution Prevention (DEP).[i] (Address Space Layout Randomization (ASLR) randomizes the memory locations used by system files and other programs, making it much harder for an attacker to correctly guess the memory location of a given process. Data Execution Prevention (DEP) is a Windows feature that enables the system to mark one or more pages of memory as non-executable, disallowing their ability to run. Microsoft announced Security Advisory 2963983 the same day.[ii] 

This week's Cyber Threat Analysis and Intelligence (CTA&I) report provided analysis, situational awareness, mitigation strategies, for two variants of Pirpi malware, as well as possible attribution for its use. Wapack Labs analyzed, and published to our members, analysis of two primary strains of the Pirpi malware with some interesting findings:

• The first versions of Pirpi appeared in 2008. 
• Several domains were observed as remote control channels (command and control, or C2) used with the first variants. These domains appear to currently be sink-holed, but a Domain Tools “Whois History” report revealed the original registrants. Domains don't always make the best indicators when chasing compromise (because they change often), but the meta data associated with them rarely does. What's meta data? Names, phone numbers, addresses, etc., associated with the person or organization that registered the domains. These make great indicators in identifying new bad actors or actions, and Wapack Labs has a great internally built tool to help us identify patterns in the registrant meta data. We call it "WhoisRecon". In this case, there is a lot of history --and those who don't learn from it, may be doomed to repeat it. Four early domains used by Purpi for C2 were identified.
• A well known Advanced Persistent Threat (APT) group, is believed responsible for leveraging this recent exploit. The group today leverages several back doors including older versions of Pirpi.[iii] 
• One email address, the original registrant of three of these four early domains is believed linked to over 140 others. The email address was reported in an Infosec forum operated by a Chinese information security company in September 2009. The email's connection with the attacks is unknown, but certainly enough information is available to suggest malintent. 

BT BT 

This was a simplified snippet of deeper analysis that we provide to our members and customers on a weekly basis. This week was busy and I thought this might be interesting. The reports, when possible, provide not only the analysis of the activity but also snort rules -for your intrusion prevention systems, yara rules for are used to check files for badness (a great overview can be found here), and indicators are currently presented in Lockheed's Kill Chain format. 

Red Sky Alliance and Wapack Labs are one of the few places where users can come in, get up to speed, and get no-kidding analysis and protection strategies for advanced threats... and everyone has them. Last week I wrapped my victim notifications with a call to a four person company. While we don't do incident response, we do offer victim notifications and referrals to trusted partners. In this case, we had a local partner with deep experience in exactly the same industry as the victim. 

As an added note, I had the opportunity to participate in the US Cyber Crime Conference this week. While no longer associated with DoD, the conference was excellent. A much smaller crowd turned out.. I think about 600 or so, but it was heavily commercial participation, with ten educational tracks, and as usual, Jim Christy and the folks at Tech Forums did a hell of a job. 

Ok, going for a run before it rains.

Until next time,
Have a great week!
Jeff

[i] http://www.fireeye.com/blog/uncategorized/2014/04/new-zero-day-exploit-targeting-internet-explorer-versions-9-through-11-identified-in-targeted-attacks.html

[ii] https://technet.microsoft.com/en-US/library/security/2963983

[iii] http://www.fireeye.com/blog/uncategorized/2014/04/new-zero-day-exploit-targeting-internet-explorer-versions-9-through-11-identified-in-targeted-attacks.html