in the DNC Hack
Potential-for-False-Flag-Operations-in-the-DNC-Hack-Jake-Williams
Potential-for-False-Flag-Operations-in-the-DNC-Hack-Jake-Williams
You also want an ePaper? Increase the reach of your titles
YUMPU automatically turns print PDFs into web optimized ePapers that Google loves.
Potential for false flag operations<br />
<strong>in</strong> <strong>the</strong> <strong>DNC</strong> <strong>Hack</strong><br />
Jake Williams<br />
Rendition Infosec<br />
rsec.us<br />
@MalwareJake
# whoami<br />
• Passionate about security<br />
• More than a decade of InfoSec experience<br />
• Some th<strong>in</strong>gs about me:<br />
– Forensic Analyst<br />
– Incident Responder<br />
– Vulnerability Researcher<br />
– SANS Instructor/Course Author<br />
– Conference Addict<br />
(C) 2016 Rendition Infosec - Jake Williams
Agenda<br />
• Why do we care?<br />
• Overview of <strong>the</strong> hack<br />
• TTPs known to be used<br />
• File metadata from exfiltrated docs<br />
• False flag opportunities<br />
(C) 2016 Rendition Infosec - Jake Williams
Why do we care?<br />
• Suppose your organization is concerned with<br />
politics<br />
– Or Russia<br />
– Or Foreign Policy<br />
• Your leaders want you to validate <strong>the</strong> attribution<br />
and help <strong>the</strong>m understand <strong>the</strong> connections<br />
between <strong>the</strong> <strong>DNC</strong> hack and Russia<br />
• Leadership is read<strong>in</strong>g about <strong>the</strong> Guccifer 2.0<br />
character and is worried about lone actors<br />
(C) 2016 Rendition Infosec - Jake Williams
Attack Timel<strong>in</strong>e<br />
• 14JUN – <strong>DNC</strong> hack announced (more or less) by<br />
Crowdstrike<br />
• 15JUN – Guccifer 2.0 takes credit, Russia<br />
publicly denies <strong>in</strong>volvement<br />
– “maybe someone forgot <strong>the</strong> password”<br />
• 18JUN, 21JUN – Guccifer 2.0 releases more<br />
docs<br />
• 20JUN – Threatgeek posts f<strong>in</strong>d<strong>in</strong>gs from malware<br />
analysis<br />
• 22JUN – Guccifer 2.0 opens DMs for media<br />
<strong>in</strong>quiries<br />
(C) 2016 Rendition Infosec - Jake Williams
Guccifer Really Dislikes Crowdstrike<br />
• While it’s possible that Guccifer is a Russian<br />
puppet, he really dislikes Crowdstrike<br />
(C) 2016 Rendition Infosec - Jake Williams
CrowdStrike Stands by Analysis<br />
(C) 2016 Rendition Infosec - Jake Williams
Attribution Considerations<br />
• TTPs used by <strong>the</strong> attacker<br />
• Specific malware used<br />
• Malware characteristics observed<br />
• Command and control doma<strong>in</strong>s, IP<br />
addresses, and o<strong>the</strong>r <strong>in</strong>frastructure<br />
(C) 2016 Rendition Infosec - Jake Williams
On Validat<strong>in</strong>g Attribution<br />
Observable<br />
Facts<br />
><br />
O<strong>the</strong>r’s<br />
Analyses<br />
(C) 2016 Rendition Infosec - Jake Williams
Diamond Model
Our Diamond Model<br />
Russia???<br />
O<strong>the</strong>r actor?<br />
185.100.84.134<br />
58.49.58.58<br />
218.1.98.203<br />
187.33.33.80<br />
185.86.148.227<br />
45.32.129.185<br />
23.227.196.217<br />
SeaDaddy<br />
Powershell<br />
X-Agent<br />
X-Tunnel<br />
Email server<br />
IRC/Chat server
What do we know?<br />
• Capability<br />
– Credential <strong>the</strong>ft<br />
– Liv<strong>in</strong>g off <strong>the</strong> land<br />
• Infrastructure<br />
– Multiple IP addresses and malware<br />
– Doma<strong>in</strong>s not specified <strong>in</strong> Crowdstrike report<strong>in</strong>g<br />
• Victim<br />
– <strong>DNC</strong> email and chat servers (and certa<strong>in</strong>ly<br />
o<strong>the</strong>rs)<br />
(C) 2016 Rendition Infosec - Jake Williams
Infrastructure<br />
• Quickly pivoted from reported IP 185.100.84.134<br />
• Looks like a pretty low reputation CIDR…<br />
• Thanks RecordedFuture!<br />
(C) 2016 Rendition Infosec - Jake Williams
Infrastructure (2)<br />
• Quickly pivoted from reported IP 185.100.84.134<br />
• Tak<strong>in</strong>g a look at doma<strong>in</strong>s related to this IP –<br />
noth<strong>in</strong>g from Doma<strong>in</strong> Tools<br />
(C) 2016 Rendition Infosec - Jake Williams
Infrastructure<br />
• Be<strong>in</strong>g from Romania isn’t necessarily bad<br />
(C) 2016 Rendition Infosec - Jake Williams
TTPs – Compromised Websites for C2<br />
• Earlier websites seen used by SEADUKE<br />
malware were compromised<br />
– Renders reverse whois useless…<br />
(C) 2016 Rendition Infosec - Jake Williams
Let’s try ano<strong>the</strong>r IP<br />
• Looks like 58.49.58.58 is runn<strong>in</strong>g an Apache web<br />
server – <strong>in</strong> Ch<strong>in</strong>a<br />
(C) 2016 Rendition Infosec - Jake Williams
Let’s try ano<strong>the</strong>r IP (2)<br />
• No <strong>in</strong>fo <strong>in</strong> mnemonic or virustotal for 58.49.58.58<br />
ei<strong>the</strong>r<br />
(C) 2016 Rendition Infosec - Jake Williams
Why <strong>the</strong> focus on C2?<br />
• The attackers ei<strong>the</strong>r have to purchase or<br />
compromise C2<br />
• If purchased, <strong>the</strong>re may be l<strong>in</strong>ks we can follow<br />
– Registration email<br />
– Where is <strong>the</strong> doma<strong>in</strong> parked<br />
• If compromised, <strong>the</strong>re may be someth<strong>in</strong>g<br />
common <strong>in</strong> <strong>the</strong> targets that suggests a particular<br />
capability<br />
– Perhaps all compromised doma<strong>in</strong>s are runn<strong>in</strong>g<br />
Drupal or Wordpress<br />
(C) 2016 Rendition Infosec - Jake Williams
Malware Artifact Challenges<br />
• Malware artifacts may also say someth<strong>in</strong>g about<br />
<strong>the</strong> attacker<br />
• These are easy to fake – we do it all <strong>the</strong> time at<br />
Rendition Infosec<br />
• Black Hills Infosec used to provide a service to<br />
embed APT related str<strong>in</strong>gs <strong>in</strong> exist<strong>in</strong>g b<strong>in</strong>aries<br />
• Ed Skoudis has been say<strong>in</strong>g for years that<br />
connections to <strong>the</strong> Stuxnet code can’t really be<br />
trusted – too easy to false flag<br />
• Powershell is just text – too easy to copy “cod<strong>in</strong>g<br />
styles”<br />
(C) 2016 Rendition Infosec - Jake Williams
Malware Artifacts of Interest<br />
• ThreatGeek reported that X-Tunnel sample had<br />
embedded OpenSSL 1.0.1e<br />
– Heartbleed vulnerable!<br />
• Attackers reused some C2 IP addresses<br />
hardcoded <strong>in</strong>to <strong>the</strong> <strong>DNC</strong> X-Tunnel sample from a<br />
sample seen <strong>in</strong> <strong>the</strong> German Parliament attack <strong>in</strong><br />
2015<br />
• FireEye report<strong>in</strong>g l<strong>in</strong>ks malware <strong>in</strong> <strong>the</strong> German<br />
Parliament attack to Russia<br />
(C) 2016 Rendition Infosec - Jake Williams
Document Metadata<br />
• Many stolen documents have been<br />
released by Guccifer 2.0<br />
• Some metadata seems more than a little<br />
off…<br />
(C) 2016 Rendition Infosec - Jake Williams
Document Metadata<br />
(C) 2016 Rendition Infosec - Jake Williams
Document Metadata<br />
(C) 2016 Rendition Infosec - Jake Williams
False Flag Opportunities<br />
• Copy<strong>in</strong>g Powershell from o<strong>the</strong>r reports<br />
• Plant<strong>in</strong>g malware artifacts<br />
• Us<strong>in</strong>g compromised C2 servers from multiple<br />
countries ra<strong>the</strong>r than register<strong>in</strong>g doma<strong>in</strong>s<br />
• Plant<strong>in</strong>g document metadata<br />
• Use of social media puppet with broken English<br />
• Publicly discredit<strong>in</strong>g <strong>the</strong> work of researchers<br />
(C) 2016 Rendition Infosec - Jake Williams
False Flag PowerShell<br />
• Sure we’ve seen <strong>the</strong> PowerShell key before<br />
– But you can create “Russian Malware” us<strong>in</strong>g it too!<br />
(C) 2016 Rendition Infosec - Jake Williams
False Flag Puppet Blogs<br />
• I went to register <strong>the</strong> Wordpress blog guccifer3<br />
– Someone else had already done it…<br />
(C) 2016 Rendition Infosec - Jake Williams
Some ACH Love<br />
• No time to cover full ACH, but here are some<br />
hypo<strong>the</strong>sis<br />
– It was Russia and Guccifer 2.0 is a puppet<br />
– It was ano<strong>the</strong>r unknown state actor<br />
– Guccifer 2.0 and <strong>the</strong> Russians both hacked <strong>the</strong><br />
<strong>DNC</strong> <strong>in</strong>dependently<br />
– The docs leaked by Guccifer 2.0 are all fake<br />
– There was never any compromise of <strong>the</strong> <strong>DNC</strong><br />
(C) 2016 Rendition Infosec - Jake Williams
So Whodunnit?<br />
• With <strong>the</strong> data publicly available today, we can’t<br />
conclude with certa<strong>in</strong>ty<br />
• But based on available evidence, most probably…<br />
(C) 2016 Rendition Infosec - Jake Williams
Obligatory Questions Slide<br />
• Thanks for your attention<br />
• Open <strong>the</strong> floor to questions<br />
• Hit me up at:<br />
– @Malwarejake<br />
– jake@rendition<strong>in</strong>fosec.com<br />
– rsec.us<br />
(C) 2016 Rendition Infosec - Jake Williams