Embed Size (px)
Citation preview
TLP AMBER
1
CYBER INTELLIGENCE REPORT Actor Type: V
Serial: IR-18-110-002 Countries: All
Report Date: 20171006 APT28 Actors and TTPs
EXECUTIVE SUMMARY First reported in October of 2014, APT28 has been active since at least 2007. The threat actors are known to target several sectors, including government, military, defense contractors, NGO’s, media, energy, software, legal, and academia.1 APT28 is the name that was given to this threat group by FireEye in their initial report. It has also been identified by other cyber security researchers as Pawn Storm, Sofacy Group, Sednit, Strontium, and Fancy Bear. The true identity of this group has been identified by commercial security analysts and the U.S. Intelligence Community as an element of the Russian military intelligence arm called the Main Intelligence Directorate (Главное Разведывательное Управление) or GRU. This is the group identified as behind the Hacks into the Democratic National Committee and email accounts of John Podesta and others involved in the 2016 U.S. presidential election. They have also been identified in hacks against the Turkish government, the World Anti-Doping Agency, France’s presidential campaign, and investigators working on the shootdown of Malaysian Air Flight 17. 1 community.redskyalliance.org/docs/DOC-3171.
TLP AMBER
2
U.S. ELECTION 2016 APT28 is best known to the public for its involvement in the Russian disruption of the 2016 presidential election process. In the summer of 2016, at least two groups linked to Russia had hacked into computer systems at the Democratic National Committee (DNC). Evidence of a compromise at the DNC was observed as early as the winter of 2015. Documents, emails, and other data were accessed and shared with the media and Wikileaks with the apparent intent of reducing the likelihood that former Secretary of State Hillary Clinton would become President of the United States.2 The malware and TTP used by the actors behind the DNC hack are reflective of the TTP used by two groups previously linked to Russian Intelligence: APT28 and APT29. The findings of other computer security companies that have looked at this data are consistent with what we have found working similar cases against the same threat actors.3 U.S. ELECTION HACK ATTRIBUTION Several commercial security firms tied the DNC hacks to Russian intelligence. Crowdstrike (who uses the code name FANCY BEAR to refer to APT 28) has stated, “Because of its extensive operations against defense ministries and other military victims, FANCY BEAR’s profile closely mirrors the strategic interests of the Russian government, and may indicate affiliation with the Main Intelligence Department or GRU, Russia’s premier military intelligence service.”4 Dmitri Alperovitch, Crowdstrike chief technology officer, further stated, “We have high level confidence both are Russian intelligence agencies. With Fancy Bear we have medium level confidence it’s GRU, which is Russia’s military intelligence agency."5 SecureWorks also reported their attribution of the DNC and Podesta email hacks (which they call IRON TWILIGHT) to the GRU. While acknowledging a lack of direct evidence, they have stated the following:
“Most of the Gmail users targeted in IRON TWILIGHT’s 2015 spearphishing campaign appeared to be associated with Russian military interests, including an email address linked to a spokesperson for the Ukrainian prime minister and accounts belonging to opposition fighters in the Syrian civil war. Excluding email accounts associated with former Soviet countries, 41% of the targeted accounts belonged to military personnel or organizations. This category includes military attachés attached to European embassies. This targeting aligns with the GRU’s goals.’
2 community.redskyalliance.org/docs/DOC-4597. 3 community.redskyalliance.org/community/geopol/8-ball--russia--ukraine--money--other/blog/2016/12/29/us-hit-russia-with-sanctions-for-hacking. 4 www.crowdstrike.com/blog/who-is-fancy-bear. 5 www.csmonitor.com/World/Passcode/2016/0615/Meet-Fancy-Bear-and-Cozy-Bear-Russian-groups-blamed-for-DNC-hack.
TLP AMBER
3
“IRON TWILIGHT’s targeting of foreign military personnel and regions where Russia is militarily active, matches what CTU researchers expect from the GRU, given its remit to gather intelligence for the Russian military. Therefore, CTU researchers assess IRON TWILIGHT is probably sponsored by, or an operational function of, the GRU.”6
Although the initial attribution work on the DNC case was conducted by cyber security firms, the U.S. government, incorporating commercial research, went public with attribution to Russian intelligence services. In December 2016, a joint assessment by the Department of Homeland Security and the FBI attributed the DNC intrusions to both APT 28 and APT 29 (believed to be the Russian FSB intelligence service):
“The U.S. Government confirms that two different RIS actors participated in the intrusion into a U.S. political party. The first actor group, known as Advanced Persistent Threat (APT) 29, entered into the party’s systems in summer 2015, while the second, known as APT28, entered in spring 2016.’ “In Spring 2016, APT28 compromised the same political party, again via targeted spear phishing. This time, the spear phishing email tricked recipients into changing their passwords through a fake webmail domain hosted on APT28 operational infrastructure. Using the harvested credentials, APT28 was able to gain access and steal content, likely leading to the exfiltration of information from multiple senior party members. The U.S. Government assesses that information was leaked to the press and publicly disclosed.’ “Both groups have historically targeted government organizations, think tanks, universities, and corporations around the world. APT28 is known for leveraging domains that closely mimic those of targeted organizations and tricking potential victims into entering legitimate credentials. APT28 actors relied heavily on shortened URLs in their spear phishing email campaigns.”7
In January 2017, the Director of National Intelligence issued an unclassified version of their Intelligence Community Assessment on the DNC hacks. Their views on attribution in this case were also stated in a definitive 6 www.secureworks.com/research/iron-twilight-supports-active-measures. 7 DHS/FBI Joint Analysis Report, GRIZZLY STEPPE: Russian Malicious Cyber Activity, JAR-16-20296A, December 29, 2016.
TLP AMBER
4
manner:
“In July 2015, Russian intelligence gained access to Democratic National Committee (DNC) networks and maintained that access until at least June 2016. The General Staff Main Intelligence Directorate (GRU) probably began cyber operations aimed at the US election by March 2016. We assess that the GRU operations resulted in the compromise of the personal e-mail accounts of Democratic Party officials and political figures. By May, the GRU had exfiltrated large volumes of data from the DNC.’ “Content that we assess was taken from e-mail accounts targeted by the GRU in March 2016 appeared on DCLeaks.com starting in June. We assess with high confidence that the GRU relayed material it acquired from the DNC and senior Democratic officials to WikiLeaks. Moscow most likely chose WikiLeaks because of its self- proclaimed reputation for authenticity. Disclosures through WikiLeaks did not contain any evident forgeries.’ “We assess with high confidence that the GRU used the Guccifer 2.0 persona, DCLeaks.com, and WikiLeaks to release US victim data obtained in cyber operations publicly and in exclusives to media outlets. Guccifer 2.0, who claimed to be an independent Romanian hacker, made multiple contradictory statements and false claims about his likely Russian identity throughout the election. Press reporting suggests more than one person claiming to be Guccifer 2.0 interacted with journalists.”8
In response to this hacking operation, on 29 December 2016 the Obama administration announced the expulsion of 35 Russian diplomats (essentially suspected of spying) and the closure of diplomatic compounds for Russian government involvement in the cyber interference with the US presidential election. The Director of Russia’s military intelligence service, the GRU, and his deputies were among the sanctioned individuals. MALWARE AND INFRASTRUCTURE APT28 typically uses a multi-stage infection process with several components in sequence. SEDNIT/Infostealer. Sofacy is a downloader dropped by the first stage of the infection process and is used to download a second stage dropper from the C2. SEDNIT/Sofacy is also referred to as “SOURFACE” and the latest version as “CORESHELL” by FireEye. While the version information has remained consistent between samples, the Sofacy downloader has been incrementally improved with changes to network protocol and anti-analysis measures. The export name that provides the functionality of the downloader has also changed over time, from “Init1” in early 2013, to “Initialize” in late
8 Intelligence Community Assessment: Assessing Russian Activities and Intentions in Recent US Elections (unclassified version), ICA 2017-01D, 6 January 2017.
TLP AMBER
5
2013, and since early 2014 has remained “Applicate.”9 Wapack Labs examined the C2 indicators linked to APT28 and identified many personas used to register phishing and C2 domains. Most of the observed domains were found to be configured with Russian Federation name servers ns1.carbon2u.com & ns2.carbon2u.com. In total, Wapack Labs identified 105 domains among 22 different personas. Many of the personas use the combination “[email protected]” as the registrant email. Some of these were active once for a few days or for a particular target and others were reused many times, often with gaps of a few weeks to a few months between operations.10 HACKING HISTORY: PAWN STORM 2014 On 24 October 2014, Trend Micro released a research paper detailing a cyber-espionage campaign it dubbed Operation Pawn Storm. The campaign consisted of economic and politically motivated attacks against military, embassy and defense contractor personnel from the United States and its allies. The attacks leveraged a malware family classified as SEDNIT, also known as InfoStealer.Sofacy. On 27 October 2014, FireEye released a research paper detailing the malware family and classifying the actor as “APT28.”11 On 5 November 2014, Wapack Labs released a report describing the infrastructure related to the APT28 campaign known as Operation Pawn Storm. Originally, APT28 used the Russian Carbon2u name servers and a set of personas that they reused up to 18 times. While APT28 continues to create personas to register domains, the primary registration method became to pay for privacy protection services (usually with Bitcoins). This has resulted in their registering domains using different name servers. FRANCE TV5 MONDE 2015 In April 2015, hackers claiming to be the Islamic State-affiliated ‘Cyber Caliphate’ hacked France’s TV5 Monde channel, shutting off transmissions for eighteen hours, and posting Islamic State propaganda on the TV5 Monde’s Facebook and Twitter accounts. The attack also apparently resulted in significant damage to the channel’s broadcasting infrastructure. However, technical analysis of the attackers’ network infrastructure (such as the IP block hosting the “Cyber Caliphate’s” website, its server, and registrar) as well as some other sensitive-source reporting related to the malware used suggests that Russia’s
9 community.redskyalliance.org/docs/DOC-2386. 10 community.redskyalliance.org/docs/DOC-2386. 11 community.redskyalliance.org/docs/DOC-2386.
TLP AMBER
6
APT28 was in fact the more likely perpetrator of this attack. French Police concurred with this conclusion, stating “Russian hackers linked to the Kremlin” may have been responsible.12 TURKEY 2016 In March 2016, Trend Micro reported that Pawn Storm, also known as APT28, had started targeting government and news organizations in Turkey. In January and February, APT28 was seen attacking the Turkish government’s Directorate General of Press and Information, the country’s Grand National Assembly, the Prime Minister’s Office, and the newspaper Hürriyet. In one attack, the hackers set up fake Outlook Web Access (OWA) servers which they used in spear-phishing campaigns, trying to acquire login credentials for sensitive backends and platforms. APT28 is known for using this technique, including in attacks on U.S. defense companies and organizations tasked with investigating the crash of Malaysia Airlines Flight MH17.13 Trend Micro also noted that the fake OWA servers were hosted via a bulletproof VPS provider which APT28 has used numerous times in past attacks.14 These attacks took place against a background of conflict between Russia and Turkey, including an airspace sovereignty dispute that involved the shootdown of a Russian fighter aircraft by Turkey in November 2015.15 Russia responded with sanctions against Turkey. BELLINGCAT 2016 Malaysian Airlines Flight 17 was shot down over Ukraine in July 2014, killing all 298 passengers and crew on board. Investigation of the incident confirmed earlier suspicions that the aircraft had been downed by a Russian surface-to-air missile fired from eastern Ukraine. A detailed public investigation was conducted by Bellingcat, an online investigative team, and it provided extensive evidence for the use of a Russian military missile launcher in the shootdown. From February 2015 to July 2016 three researchers at Bellingcat — Higgins, Aric Toler,and Veli-Peka Kivimaki — who had contributed MH17 articles
12 community.redskyalliance.org/community/geopol/8-ball--russia--ukraine--money--other/blog/2016/03/01/review-cyber-war-in-perspective-russian-aggression-against-ukraine. 13 www.securityweek.com/pawn-storm-group-targets-turkey. 14 community.redskyalliance.org/community/geopol/8-ball--russia--ukraine--money--other/blog/2016/04/15/were-russia-behind-anonymous-attacks-on-turkey. 15 live.aljazeera.com/Event/Turkey_downs_Russian_jet/207503335.
TLP AMBER
7
received numerous spear phishing emails, with Higgins alone receiving at least 16 phishing emails targeting his personal email account. In early May 2016 and again in mid-June, Bellingcat contributor Aric Toler’s personal email address was targeted by hackers. In the June 2016 example, Toler was targeted with a message that used [email protected] in a manner consistent with how a field director at the DNC was targeted prior to content from his personal email being posted to DCLeaks. Domains used in the Toler attack also matched those associated with APT28. The domains evrosatory.com and us-westmail-undeliversystem.com had been previously identified by PriceWaterhouseCoopers as APT28, and the domain servicetransfermail.com closely resembles the servicetransferemail.com infrastructure that German Intelligence established as APT28. Further overlaps with other APT28 infrastructure were identified by pivoting off of these indicators. Based on these consistencies, APT28 is almost certainly behind the spear phishing and credential harvesting campaign targeting Bellingcat researchers.16
WORLD ANTI-DOPING AGENCY (WADA) 2016 In July of 2016, independent investigations uncovered a state-sponsored doping operation in Russia. World Anti-Doping Agency (WADA) investigators review every sport in the Summer and Winter Olympics. This steroid-use scrutiny began in late 2011 preparing for the London 2012 Olympic games and lasted until late 2015. The results of the WADA investigation led to Russia being almost totally disqualified from the 2016 Summer Olympics in Rio de Janeiro, Brazil. Russia was totally banned from the 2016 Paralympics. The Russia government officially objected, and at the same time a Russian hacking group initiated a hacker operation. This group, calling itself the “Fancy Bear Hack Team,” subsequently announced they had taken WADA files and leaked the confidential records of American athletes. In September they leaked even more data stolen from WADA. Olympians from countries such as Romania, Czech Republic, Denmark, Poland, the U.S. and the United Kingdom had sensitive athlete medical information exposed. The Fancy Bear Hack Team was proactive in dissemination, using media platforms such as Twitter and their own website to disperse the information and make statements explaining the rationale behind their breaches.17 The original folder that was leaked from the WADA website was 412MB and
16 community.redskyalliance.org/community/geopol/8-ball--russia--ukraine--money--other/blog/2016/10/03/investigation-into-the-downing-of-mh17-and-potential-cyber-implications. 17 community.redskyalliance.org/docs/DOC-4311.
TLP AMBER
8
contained over 3,100 email accounts along with their passwords. According to Hacked-DB, a data mining company, the accounts were hashed with old MD5 encryption that can be decrypted in seconds. The conclusion indicated that the attack was, “executed by an SQL injection flaw with SQLMap SQL Injection Automation Tool.“18 A Twitter account for Poland Anonymous (@AnPoland) initially claimed responsibility for the breaches and defacements of WADA. This account had been previously used for targeting of Ukraine, a typical target for Russian APT hackers and not so typical for real Polish Anonymous. Moreover, in the @AnPoland video about the hacks, suggestions in the browser revealed that the system was likely used in a Russian-language environment in spite of attempts to show a Polish-language operating system. This was revealed by Wapack Labs analysis.19 Wapack Labs believes that the Russian actor known as APT28 obtained and leaked these medical records stolen from WADA. The targeting appears to be in accordance with the Russian agenda: it followed the Russian athletes’ doping-related ban, and it targeted the U.S. and other NATO countries. Tactics, Techniques and Procedures (TTPs) observed by incident responders to the WADA breach were similar to those used by Russian APT28 against U.S. Democratic Party organizations.20 The leaks were likely intended to embarrass Western athletes as well as expose what they perceive to be hypocrisy in the disciplinary decisions made, such as the banning of Russian athletes from the 2016 Summer Olympic and Para-Olympic Games.21 International Association of Athletics Federation (IAAF) 2016 The IAAF was also a victim of a cyber-attack in 2017 which it believes compromised athletes' Therapeutic Use Exemption (TUE) applications stored on IAAF servers. The attack was detected during an investigation carried out by the cyber incident response (CIR) firm Context Information Security, who were contacted by IAAF at the beginning of January to undertake a technical investigation across IAAF systems. The IAAF stated that the intrusion was by APT28. The presence of unauthorized remote access to the IAAF network by the attackers was noted on 21 February 2017 where metadata on athlete TUE’s was collected from a file server and stored in a newly created file. However, it was not until April that the incident responders were able to study the
18 community.redskyalliance.org/docs/DOC-4311. 19 community.redskyalliance.org/docs/DOC-4287. 20 community.redskyalliance.org/docs/DOC-4287. 21 community.redskyalliance.org/docs/DOC-4287.
TLP AMBER
9
attackers and cut them off. This targeting was likely also motivated by Russia being caught in the state-sponsored doping scandal with many Russian athletes being banned from competition and their awards being cancelled. It is not known if this information was subsequently stolen from the network, but it does give a strong indication of the attackers’ interest and intent, and shows they had access and means to obtain content from this file at will. FRENCH ELECTION 2017 In March 2017, Trend Micro identified the Macron campaign as a target of APT 28. Researchers found a phishing domain created by the APT28 group, “onedrive-en-marche.fr,” designed to target the campaign by impersonating a site that En March uses for cloud data storage. In May 2017, French President Macron’s political party Issued a statement admitting that it had been hacked:
"The En Marche! party has been the victim of a massive, coordinated act of hacking, in which diverse internal information (mails, documents, accounting, contracts) have been broadcast this evening on social networks. The files which are circulating were obtained a few weeks ago thanks to the hacking of the professional and personal email accounts of several members of the campaign."
The Macron leaks had been posted on 5 May 2017, just two days ahead of the French Presidential elections. The Russians appear to have targeted Emmanuel Macron as he was running against Marine Le Pen who was definitely viewed by Russia as the preferable candidate. On 29 May 2017, after the French elections, Russian President Vladimir Putin denied the charges during an interview with Le Figaro:
“There are allegations [about] Russian hackers. Who is making these allegations? Based on what? If these are just allegations, then these hackers could be from anywhere else and not necessarily from Russia. As President Trump once said, and I think that he was totally right when he said it could have been someone sitting on their bed or somebody intentionally inserted a flash drive with the name of a Russian national, or something like that. Anything is possible in this virtual world. Russia never engages in activities of this kind, and we do not need it. It makes no sense for us to do such things. What for?”
ONLINE PRESENCE: FANCY BEARS HACK TEAM This group appeared to be behind the leak of data taken from WADA. An entity established a website to publish this data, and they called themselves
TLP AMBER
10
the, “Fancy Bears’ Hack Team.” This is a likely allusion to the name, “Fancy Bear” given to the APT actor by CrowdStrike security researchers. Despite artifacts and social media activity attempting to portray itself as associated with Anonymous, Wapack analysts assess that “Fancy Bears Hack Team” is a Russian threat actor and likely associated with, if not specifically identical to, APT 28. This may indicate that the actors rather strangely accept their status as a known and studied APT group, or that they are mocking security researchers, or both. Phishing domains targeting WADA used name servers seen in the previous APT 28 activities and the video by the presumed false persona @AnPoland suggests a Russian origin of the attacks.22 Figure 1. Home page for Fancy Bears Hack Team (fancybear.net)
The Fancy Bears website home page included the following statement:
“Greetings citizens of the world. We are Fancy Bears. We go on exposing the athletes who violate the principles of fair play by taking doping substances. The list of doping addicts includes not only the athletes of the top Olympic teams but also those who compete for other countries. We’ll keep on telling the world about doping in elite sports. Stay tuned for new leaks.”23
Fancybear.net was registered on 1 September 2016 and became hosted behind Cloudflare on 8 September 2016. The @FancyBears Twitter profile, was also registered in September 2016 and was first used to post material on 12 September. That same day, fancybear.net was used to release a portion of
22 community.redskyalliance.org/docs/DOC-4287. 23 community.redskyalliance.org/docs/DOC-4311.
TLP AMBER
11
the data stolen from WADA systems.24 Figure 2. Fancy Bears Twitter account
POSSIBLE APT28 PERSONNEL: Georgiy Petrovich Roshka Wapack Labs has identified, with high confidence, one Russian hacker associated with both APT28 and election hacking in France. Georgiy Roshka’s name appeared in the metadata of documents leaked during the French Presidential campaign of Emmanuel Macron; which was targeted by APT28. Some of the Macron files that had been leaked showed metadata which included alterations containing Russian language artifacts. Analysts discovered the Russian full name in Cyrillic Георгий Петрович Рошка (Georgiy Petrovich Roshka) in the metadata for Macron's modified Excel documents previously created by his cyber campaign. Figure 3. Metadata from Macron Excel spread sheet with Russian name embedded Open-source research identified a man named Georgiy Petrovich Roshka who
24 community.redskyalliance.org/docs/DOC-4287.
TLP AMBER
12
works in a Russian company called CJSC (Closed Joint Stock Company) Eureca (also known as ZAO Evrika) which makes computers and software for the Russian government, including for their Defense Ministry and other agencies. A Georgiy Petrovich Roshka was listed as a participant of the 2014 Parallel Computing Technologies (PAVT-2014) conference and identified as a specialist working at CJSC Eureca. The main office is located in St. Petersburg, Russia, and it possesses branches in Moscow and Kursk. Eureca lists a wide range of training topics from Microsoft to VMware. Ethical Hacker Training can be found in their training curriculum. Eureca also provides training for products of the Russian company Security Code (securitycode.ru), which provides cyber security services to a wide range of top Russian companies and government agencies, including the Ministry of Defense and the FSB. Additionally, Eureca received a license to work with “secret” documents from the FSB back in 2003. Roshka’s information listed different employers in the 2016 and 2017 PAVT conferences lists. In 2016, Roshka was listed as affiliated with Military Unit No 26165, which was identified as the GRU Main Center for Special Service 85, specializing in cryptography. Figure 4. Text from Russian investigative website (theins.ru) with author’s comments The Main Center for Special Service 85 occupies a historic building at 20 Komsomolskiy Avenue, Moscow, Russia.
Parallel Computing Technology (PaVT 2016)
Roshka Georgiy Military Unit 26165
“Main Center for Special Service 85 is Military Unit No. 26165, specializing in
cryptography.”
TLP AMBER
13
Figure 5. GRU facility at 20 Komsomolskiy Avenue (from theins.ru) Roshka was also listed in 2017 as affiliated with the Center for Strategic Research (a Russian Ministry of Defense cyber unit).25 After Roshka’s name was discovered in metadata, action appears to have been taken by Russia to hide his connections to Russian agencies and their hacking endeavors. First, when contacted by researchers and journalists, Eureca denied having ever employed Roshka. South Ural State University, the host of the PAVT-2014 conference, removed the participant list that had contained Roshka’s name from their site documents. In other communications, Eureca appeared on conference lists with Roshka’s name. However, Roshka’s information listed a different employer for the 2016 and 2017 PAVT conferences lists, and Eureca denied any association with Roshka. Two of the PAVT organizers refused to provide the participation lists to journalists. The Head of the System Programming Department at South Ural State University explained that the conference database “was old, it became corrupted, which caused the disks to fail and the information was lost.” The Head of the Supercomputers and Quantum IT Department at Moscow State University said he had the list, but he “can’t provide it due to a decision to secure the personal data.” CURRENT STATUS The wide variety of targets attacked in 2016 indicate that this group is seen by the Russian government as an essential and successful tool for strategic information operations. As the Macron attack makes clear, APT28 remains active into mid-2017. Prepared by: Slikworm, Pan-Asia Desk Collection and Analysis: Yury Polozov, Cyber Analyst Information cutoff date: 16 October 2017 Reviewed by: J. Stutzman
25 community.redskyalliance.org/docs/DOC-5230.
