in the DNC Hack

nerdprof

Potential-for-False-Flag-Operations-in-the-DNC-Hack-Jake-Williams

Potential for false flag operations

in the DNC Hack

Jake Williams

Rendition Infosec

rsec.us

@MalwareJake


# whoami

• Passionate about security

• More than a decade of InfoSec experience

• Some things about me:

– Forensic Analyst

– Incident Responder

– Vulnerability Researcher

– SANS Instructor/Course Author

– Conference Addict

(C) 2016 Rendition Infosec - Jake Williams


Agenda

• Why do we care?

• Overview of the hack

• TTPs known to be used

• File metadata from exfiltrated docs

• False flag opportunities

(C) 2016 Rendition Infosec - Jake Williams


Why do we care?

• Suppose your organization is concerned with

politics

– Or Russia

– Or Foreign Policy

• Your leaders want you to validate the attribution

and help them understand the connections

between the DNC hack and Russia

• Leadership is reading about the Guccifer 2.0

character and is worried about lone actors

(C) 2016 Rendition Infosec - Jake Williams


Attack Timeline

• 14JUN – DNC hack announced (more or less) by

Crowdstrike

• 15JUN – Guccifer 2.0 takes credit, Russia

publicly denies involvement

– “maybe someone forgot the password”

• 18JUN, 21JUN – Guccifer 2.0 releases more

docs

• 20JUN – Threatgeek posts findings from malware

analysis

• 22JUN – Guccifer 2.0 opens DMs for media

inquiries

(C) 2016 Rendition Infosec - Jake Williams


Guccifer Really Dislikes Crowdstrike

• While it’s possible that Guccifer is a Russian

puppet, he really dislikes Crowdstrike

(C) 2016 Rendition Infosec - Jake Williams


CrowdStrike Stands by Analysis

(C) 2016 Rendition Infosec - Jake Williams


Attribution Considerations

• TTPs used by the attacker

• Specific malware used

• Malware characteristics observed

• Command and control domains, IP

addresses, and other infrastructure

(C) 2016 Rendition Infosec - Jake Williams


On Validating Attribution

Observable

Facts

>

Other’s

Analyses

(C) 2016 Rendition Infosec - Jake Williams


Diamond Model


Our Diamond Model

Russia???

Other actor?

185.100.84.134

58.49.58.58

218.1.98.203

187.33.33.80

185.86.148.227

45.32.129.185

23.227.196.217

SeaDaddy

Powershell

X-Agent

X-Tunnel

Email server

IRC/Chat server


What do we know?

• Capability

– Credential theft

– Living off the land

• Infrastructure

– Multiple IP addresses and malware

– Domains not specified in Crowdstrike reporting

• Victim

DNC email and chat servers (and certainly

others)

(C) 2016 Rendition Infosec - Jake Williams


Infrastructure

• Quickly pivoted from reported IP 185.100.84.134

• Looks like a pretty low reputation CIDR…

• Thanks RecordedFuture!

(C) 2016 Rendition Infosec - Jake Williams


Infrastructure (2)

• Quickly pivoted from reported IP 185.100.84.134

• Taking a look at domains related to this IP –

nothing from Domain Tools

(C) 2016 Rendition Infosec - Jake Williams


Infrastructure

• Being from Romania isn’t necessarily bad

(C) 2016 Rendition Infosec - Jake Williams


TTPs – Compromised Websites for C2

• Earlier websites seen used by SEADUKE

malware were compromised

– Renders reverse whois useless…

(C) 2016 Rendition Infosec - Jake Williams


Let’s try another IP

• Looks like 58.49.58.58 is running an Apache web

server – in China

(C) 2016 Rendition Infosec - Jake Williams


Let’s try another IP (2)

• No info in mnemonic or virustotal for 58.49.58.58

either

(C) 2016 Rendition Infosec - Jake Williams


Why the focus on C2?

• The attackers either have to purchase or

compromise C2

• If purchased, there may be links we can follow

– Registration email

– Where is the domain parked

• If compromised, there may be something

common in the targets that suggests a particular

capability

– Perhaps all compromised domains are running

Drupal or Wordpress

(C) 2016 Rendition Infosec - Jake Williams


Malware Artifact Challenges

• Malware artifacts may also say something about

the attacker

• These are easy to fake – we do it all the time at

Rendition Infosec

• Black Hills Infosec used to provide a service to

embed APT related strings in existing binaries

• Ed Skoudis has been saying for years that

connections to the Stuxnet code can’t really be

trusted – too easy to false flag

• Powershell is just text – too easy to copy “coding

styles”

(C) 2016 Rendition Infosec - Jake Williams


Malware Artifacts of Interest

• ThreatGeek reported that X-Tunnel sample had

embedded OpenSSL 1.0.1e

– Heartbleed vulnerable!

• Attackers reused some C2 IP addresses

hardcoded into the DNC X-Tunnel sample from a

sample seen in the German Parliament attack in

2015

• FireEye reporting links malware in the German

Parliament attack to Russia

(C) 2016 Rendition Infosec - Jake Williams


Document Metadata

• Many stolen documents have been

released by Guccifer 2.0

• Some metadata seems more than a little

off…

(C) 2016 Rendition Infosec - Jake Williams


Document Metadata

(C) 2016 Rendition Infosec - Jake Williams


Document Metadata

(C) 2016 Rendition Infosec - Jake Williams


False Flag Opportunities

• Copying Powershell from other reports

• Planting malware artifacts

• Using compromised C2 servers from multiple

countries rather than registering domains

• Planting document metadata

• Use of social media puppet with broken English

• Publicly discrediting the work of researchers

(C) 2016 Rendition Infosec - Jake Williams


False Flag PowerShell

• Sure we’ve seen the PowerShell key before

– But you can create “Russian Malware” using it too!

(C) 2016 Rendition Infosec - Jake Williams


False Flag Puppet Blogs

• I went to register the Wordpress blog guccifer3

– Someone else had already done it…

(C) 2016 Rendition Infosec - Jake Williams


Some ACH Love

• No time to cover full ACH, but here are some

hypothesis

– It was Russia and Guccifer 2.0 is a puppet

– It was another unknown state actor

– Guccifer 2.0 and the Russians both hacked the

DNC independently

– The docs leaked by Guccifer 2.0 are all fake

– There was never any compromise of the DNC

(C) 2016 Rendition Infosec - Jake Williams


So Whodunnit?

• With the data publicly available today, we can’t

conclude with certainty

• But based on available evidence, most probably…

(C) 2016 Rendition Infosec - Jake Williams


Obligatory Questions Slide

• Thanks for your attention

• Open the floor to questions

• Hit me up at:

– @Malwarejake

– jake@renditioninfosec.com

– rsec.us

(C) 2016 Rendition Infosec - Jake Williams

Similar magazines