dissection of a Cyber- Espionage attack

More documents

Recommendations

Info

The adversary APT28 #RSAC The attack has been attributed to APT Group 28, also known as “Sofacy” or “Sednit”. I will call it “APT28” from now on. APT28 group believed to have been in operation since 2007 and has been identified in several attacks that have targeted Eastern European governments, military and security-related organizations including the North Atlantic Treaty Organization (NATO). The group uses a complex set of tools and strategies to put a foothold in an environment and to control and steal interesting data. Several sources consider APT28 a group of CyberMercs based in Russia.
The target: the moat without water How to develop a good network segmentation and be breached #RSAC The attack has targeted a military environment in EMEA region. The environment has born segmented, with several layer of controls to preserve confidentiality and integrity of exchanged and stored data. The segmentation separates the network in several layers with different level of “trust”. Any operator receives a badge and a smartcard to operate in the network. Communication from a lower to an higher layer of trust is blocked, instead communication from higher layer to a lower one are permitted. At the beginning of the investigation I discovered that the base lacks any real network visibility. The only network devices capable of analyzing streams were sporadic IDS and IPS placed in non strategic points.
Page 1 and 2: SESSION ID: CTT-W08 Evolving Threat
Page 3: Agenda What we discuss today Today
Page 7 and 8: The target: the moat without water
Page 9 and 10: The attack strategy How they break-
Page 11 and 12: Attack Overview: End of First Wave
Page 13 and 14: Attack Overview: End of Second Wave
Page 15 and 16: The attack strategy The infection p
Page 17 and 18: Pwning the core: CVE-2015-1701 AKA
Page 19 and 20: Patient Zero How the victim discove
Page 21 and 22: Patient Zero consequences How the a
Page 23 and 24: What we can bring to the table? #RS
Page 25 and 26: Actionable IoCs What our methodolog
Page 27 and 28: Investigation: first step The Custo
Page 29 and 30: Our investigation Our approach tail
Page 31 and 32: APT 28 Tools APT 28 Tools seen in t
Page 33 and 34: APT 28 Tools CORESHELL ATTRIBUTION
Page 35 and 36: APT 28 Tools EVILTOSS ATTRIBUTION B
Page 37 and 38: APT 28 Tools CHOPSTICK CHOPSTICK i
Page 39 and 40: The attack strategy IOC: C2 list T
Page 41 and 42: Conclusion What I can suggest It i
Page 43 and 44: #RSAC

dissection of a Cyber- Espionage attack

You also want an ePaper? Increase the reach of your titles

Delete template?

Save as template?