attribution in a world of cyberespionage · attribution in a world of cyberespionage yury...
TRANSCRIPT
![Page 1: Attribution in a world of cyberespionage · Attribution in a world of cyberespionage Yury Namestnikov Head, Global Research and Analysis Team, Russia](https://reader031.vdocuments.site/reader031/viewer/2022020415/5be43a4109d3f233038ceec6/html5/thumbnails/1.jpg)
Attribution in a world of cyberespionage
Yury Namestnikov
Head, Global Research and Analysis Team, Russia
![Page 2: Attribution in a world of cyberespionage · Attribution in a world of cyberespionage Yury Namestnikov Head, Global Research and Analysis Team, Russia](https://reader031.vdocuments.site/reader031/viewer/2022020415/5be43a4109d3f233038ceec6/html5/thumbnails/2.jpg)
Our ResearchAPT attacks – well planned and well resourced
DarkhotelPart 2
MsnMMcampaigns
SatelliteTurla
WildNeutron
BlueTermite
SpringDragon
2011
2010
2013
Stuxnet
Duqu
2012
Gauss
Flame
miniFlame
NetTraveler
Miniduke
RedOctober
Icefog
Winnti
Kimsuky
TeamSpy
2014
Epic Turla
CosmicDuke
Regin
Careto/The Mask
Energetic Bear /
Crouching Yeti
Darkhotel
2015
Desert Falcons
Hellsing
Sofacy
Carbanak
Equation
Naikon
AnimalFarm
Duqu 2.0
ProjectSauron
Saguaro
StrongPity
Ghoul
Fruity Armor
ScarCruft
2016
Poseidon
Lazarus
Lurk
GCMan
Danti
Adwind
Dropping Elephant
Metel
Shamoon 2.0
WannaCry
Moonlight Maze
WhiteBear
Silence
2017
ShadowPad
BlueNoroff
ExPetr / NotPetya
ATMitch
BlackOasis
StoneDrill
![Page 3: Attribution in a world of cyberespionage · Attribution in a world of cyberespionage Yury Namestnikov Head, Global Research and Analysis Team, Russia](https://reader031.vdocuments.site/reader031/viewer/2022020415/5be43a4109d3f233038ceec6/html5/thumbnails/3.jpg)
APT Names
https://docs.google.com/spreadsheets/u/1/d/1H9_xaxQHpWaa4O_Son4Gx0YOIzlcBW
MsdvePFX68EKU/pubhtml#
![Page 4: Attribution in a world of cyberespionage · Attribution in a world of cyberespionage Yury Namestnikov Head, Global Research and Analysis Team, Russia](https://reader031.vdocuments.site/reader031/viewer/2022020415/5be43a4109d3f233038ceec6/html5/thumbnails/4.jpg)
Okay, you know who did it and what next?
![Page 5: Attribution in a world of cyberespionage · Attribution in a world of cyberespionage Yury Namestnikov Head, Global Research and Analysis Team, Russia](https://reader031.vdocuments.site/reader031/viewer/2022020415/5be43a4109d3f233038ceec6/html5/thumbnails/5.jpg)
5 |
Right way to attribute cyberattacks:
• Catch cyber criminals in cooperation of different local
police departments and industry experts
In reality:
• Slow cross-border interaction
• Tons of paper work
• Politics
Theory vs Practice
![Page 6: Attribution in a world of cyberespionage · Attribution in a world of cyberespionage Yury Namestnikov Head, Global Research and Analysis Team, Russia](https://reader031.vdocuments.site/reader031/viewer/2022020415/5be43a4109d3f233038ceec6/html5/thumbnails/6.jpg)
6 |
Bad Op Sec
Code Reuse
False Flags
Infrastructure
Reuse
![Page 7: Attribution in a world of cyberespionage · Attribution in a world of cyberespionage Yury Namestnikov Head, Global Research and Analysis Team, Russia](https://reader031.vdocuments.site/reader031/viewer/2022020415/5be43a4109d3f233038ceec6/html5/thumbnails/7.jpg)
Code similarity and
bad OPSEC big stories
![Page 8: Attribution in a world of cyberespionage · Attribution in a world of cyberespionage Yury Namestnikov Head, Global Research and Analysis Team, Russia](https://reader031.vdocuments.site/reader031/viewer/2022020415/5be43a4109d3f233038ceec6/html5/thumbnails/8.jpg)
8 |
![Page 9: Attribution in a world of cyberespionage · Attribution in a world of cyberespionage Yury Namestnikov Head, Global Research and Analysis Team, Russia](https://reader031.vdocuments.site/reader031/viewer/2022020415/5be43a4109d3f233038ceec6/html5/thumbnails/9.jpg)
![Page 10: Attribution in a world of cyberespionage · Attribution in a world of cyberespionage Yury Namestnikov Head, Global Research and Analysis Team, Russia](https://reader031.vdocuments.site/reader031/viewer/2022020415/5be43a4109d3f233038ceec6/html5/thumbnails/10.jpg)
May 12, 2017…
![Page 11: Attribution in a world of cyberespionage · Attribution in a world of cyberespionage Yury Namestnikov Head, Global Research and Analysis Team, Russia](https://reader031.vdocuments.site/reader031/viewer/2022020415/5be43a4109d3f233038ceec6/html5/thumbnails/11.jpg)
11 |
2017 WannaCry
2015 Lazarus Backdoor
Custom SSL implementation
![Page 12: Attribution in a world of cyberespionage · Attribution in a world of cyberespionage Yury Namestnikov Head, Global Research and Analysis Team, Russia](https://reader031.vdocuments.site/reader031/viewer/2022020415/5be43a4109d3f233038ceec6/html5/thumbnails/12.jpg)
12 |
Problem: find common code between files
• Easy approach: generate all 8-16-byte strings for all files in
our collection. For new files, check overlaps.
• Problems:
• Collection too big.
• Capex too small.
• How to solve it?
![Page 13: Attribution in a world of cyberespionage · Attribution in a world of cyberespionage Yury Namestnikov Head, Global Research and Analysis Team, Russia](https://reader031.vdocuments.site/reader031/viewer/2022020415/5be43a4109d3f233038ceec6/html5/thumbnails/13.jpg)
Introducing:
APT similarity hunting
with Yara
![Page 14: Attribution in a world of cyberespionage · Attribution in a world of cyberespionage Yury Namestnikov Head, Global Research and Analysis Team, Russia](https://reader031.vdocuments.site/reader031/viewer/2022020415/5be43a4109d3f233038ceec6/html5/thumbnails/14.jpg)
Solution – multi step
• Identify relevant code in a file
• Extract _ONLY_ “interesting” strings
• Create a whitelisting databases of strings from clean files
• Extract interesting strings from new samples that are not in
the whitelist db
• Make a Yara rule
![Page 15: Attribution in a world of cyberespionage · Attribution in a world of cyberespionage Yury Namestnikov Head, Global Research and Analysis Team, Russia](https://reader031.vdocuments.site/reader031/viewer/2022020415/5be43a4109d3f233038ceec6/html5/thumbnails/15.jpg)
15 |
Our code similarity system
• processed samples / day ~ 250 K
• known, good samples - 28 mln
• known, good strings - ~4 bln
• known, good opcode sequences - ~8 bln
Output: Yara rules and similarity profiles
![Page 16: Attribution in a world of cyberespionage · Attribution in a world of cyberespionage Yury Namestnikov Head, Global Research and Analysis Team, Russia](https://reader031.vdocuments.site/reader031/viewer/2022020415/5be43a4109d3f233038ceec6/html5/thumbnails/16.jpg)
16 |
Wannacry rule
Catches:
BlueNoroff,
ManusCrypt,
Decafett
![Page 17: Attribution in a world of cyberespionage · Attribution in a world of cyberespionage Yury Namestnikov Head, Global Research and Analysis Team, Russia](https://reader031.vdocuments.site/reader031/viewer/2022020415/5be43a4109d3f233038ceec6/html5/thumbnails/17.jpg)
Attributing APT
malware by
common code
![Page 18: Attribution in a world of cyberespionage · Attribution in a world of cyberespionage Yury Namestnikov Head, Global Research and Analysis Team, Russia](https://reader031.vdocuments.site/reader031/viewer/2022020415/5be43a4109d3f233038ceec6/html5/thumbnails/18.jpg)
CCleaner malware – custom base64 encoding
![Page 19: Attribution in a world of cyberespionage · Attribution in a world of cyberespionage Yury Namestnikov Head, Global Research and Analysis Team, Russia](https://reader031.vdocuments.site/reader031/viewer/2022020415/5be43a4109d3f233038ceec6/html5/thumbnails/19.jpg)
Regin – GSM network pwnage
![Page 20: Attribution in a world of cyberespionage · Attribution in a world of cyberespionage Yury Namestnikov Head, Global Research and Analysis Team, Russia](https://reader031.vdocuments.site/reader031/viewer/2022020415/5be43a4109d3f233038ceec6/html5/thumbnails/20.jpg)
Regin rule
Yara finds
Shadowbrokers’
cnli-1.dll
![Page 21: Attribution in a world of cyberespionage · Attribution in a world of cyberespionage Yury Namestnikov Head, Global Research and Analysis Team, Russia](https://reader031.vdocuments.site/reader031/viewer/2022020415/5be43a4109d3f233038ceec6/html5/thumbnails/21.jpg)
Shadowbrokers dump libraries?
cnli-1.dll exports:
CNE?
![Page 22: Attribution in a world of cyberespionage · Attribution in a world of cyberespionage Yury Namestnikov Head, Global Research and Analysis Team, Russia](https://reader031.vdocuments.site/reader031/viewer/2022020415/5be43a4109d3f233038ceec6/html5/thumbnails/22.jpg)
Regin / cnli-1.dll shared code example:
Regin sample
66afaa303e13faa4913eaad50f7237ea
cnli-1.dll
07cc65907642abdc8972e62c1467e83b
![Page 23: Attribution in a world of cyberespionage · Attribution in a world of cyberespionage Yury Namestnikov Head, Global Research and Analysis Team, Russia](https://reader031.vdocuments.site/reader031/viewer/2022020415/5be43a4109d3f233038ceec6/html5/thumbnails/23.jpg)
The Lamberts APT
Story started from a zero-day
Targets list includes:
Aerospace, ICS, Energy sector,
Nuclear research, engineering
Operator can do anything:
60+ modules
3 YEARS OF
RESEARCH
![Page 24: Attribution in a world of cyberespionage · Attribution in a world of cyberespionage Yury Namestnikov Head, Global Research and Analysis Team, Russia](https://reader031.vdocuments.site/reader031/viewer/2022020415/5be43a4109d3f233038ceec6/html5/thumbnails/24.jpg)
The Lamberts APT
WhiteLambert 1.2 driver2f60906ca535eb958389e6aed454c2a2
BlackLambert font exploit99ef1e473ac553cf80f6117b2e95e79b
BrownLambert6c466283e7f8757973ba253aa6080d8c
![Page 25: Attribution in a world of cyberespionage · Attribution in a world of cyberespionage Yury Namestnikov Head, Global Research and Analysis Team, Russia](https://reader031.vdocuments.site/reader031/viewer/2022020415/5be43a4109d3f233038ceec6/html5/thumbnails/25.jpg)
False Flags
![Page 26: Attribution in a world of cyberespionage · Attribution in a world of cyberespionage Yury Namestnikov Head, Global Research and Analysis Team, Russia](https://reader031.vdocuments.site/reader031/viewer/2022020415/5be43a4109d3f233038ceec6/html5/thumbnails/26.jpg)
![Page 27: Attribution in a world of cyberespionage · Attribution in a world of cyberespionage Yury Namestnikov Head, Global Research and Analysis Team, Russia](https://reader031.vdocuments.site/reader031/viewer/2022020415/5be43a4109d3f233038ceec6/html5/thumbnails/27.jpg)
27 |
![Page 28: Attribution in a world of cyberespionage · Attribution in a world of cyberespionage Yury Namestnikov Head, Global Research and Analysis Team, Russia](https://reader031.vdocuments.site/reader031/viewer/2022020415/5be43a4109d3f233038ceec6/html5/thumbnails/28.jpg)
![Page 29: Attribution in a world of cyberespionage · Attribution in a world of cyberespionage Yury Namestnikov Head, Global Research and Analysis Team, Russia](https://reader031.vdocuments.site/reader031/viewer/2022020415/5be43a4109d3f233038ceec6/html5/thumbnails/29.jpg)
![Page 30: Attribution in a world of cyberespionage · Attribution in a world of cyberespionage Yury Namestnikov Head, Global Research and Analysis Team, Russia](https://reader031.vdocuments.site/reader031/viewer/2022020415/5be43a4109d3f233038ceec6/html5/thumbnails/30.jpg)
Attribution 2.0?
![Page 31: Attribution in a world of cyberespionage · Attribution in a world of cyberespionage Yury Namestnikov Head, Global Research and Analysis Team, Russia](https://reader031.vdocuments.site/reader031/viewer/2022020415/5be43a4109d3f233038ceec6/html5/thumbnails/31.jpg)
Attribution 2.0
• Tasks which took months (years?) can now be done in minutes
• Technology will become ubiquitous in 2-3 years
• Attributing attacks can be partly automated
• Effect: more false flags
• Think Lazarus malware with Russian keywords evolved
• OlympicDestroyer
• Effect: more scripting, reliance on automated tools
• PowerShell, CobaltStrike to Metasploit
![Page 32: Attribution in a world of cyberespionage · Attribution in a world of cyberespionage Yury Namestnikov Head, Global Research and Analysis Team, Russia](https://reader031.vdocuments.site/reader031/viewer/2022020415/5be43a4109d3f233038ceec6/html5/thumbnails/32.jpg)
32 |
Let’s find out more together
Yury Namestnikov, Kaspersky Labs