Download - Greg Hoglund - Understanding Chinese APT Hackers: Attribution, Attack Trends and Why It Matters
![Page 1: Greg Hoglund - Understanding Chinese APT Hackers: Attribution, Attack Trends and Why It Matters](https://reader035.vdocuments.site/reader035/viewer/2022081401/5572124c497959fc0b9064d9/html5/thumbnails/1.jpg)
Understanding Chinese APT Attackers
Greg Hoglund
CTO ManTech CSI & VP, Cofounder HBGary
October 2012
![Page 2: Greg Hoglund - Understanding Chinese APT Hackers: Attribution, Attack Trends and Why It Matters](https://reader035.vdocuments.site/reader035/viewer/2022081401/5572124c497959fc0b9064d9/html5/thumbnails/2.jpg)
Until recently, this information was known only to those with security clearances. ALL DATA IN THIS
PRESENTATION IS UNCLASSIFIED AND REFERENCED FROM PUBLIC SOURCES
![Page 3: Greg Hoglund - Understanding Chinese APT Hackers: Attribution, Attack Trends and Why It Matters](https://reader035.vdocuments.site/reader035/viewer/2022081401/5572124c497959fc0b9064d9/html5/thumbnails/3.jpg)
![Page 4: Greg Hoglund - Understanding Chinese APT Hackers: Attribution, Attack Trends and Why It Matters](https://reader035.vdocuments.site/reader035/viewer/2022081401/5572124c497959fc0b9064d9/html5/thumbnails/4.jpg)
Chinese Espionage
• A focused, organized, and ongoing program of computer exploitation, with the explicit goal of stealing intellectual property and strategic economic information.
Much of the public information about Chinese espionage was leaked via the Wikileaks U.S. Diplomatic Cables
![Page 5: Greg Hoglund - Understanding Chinese APT Hackers: Attribution, Attack Trends and Why It Matters](https://reader035.vdocuments.site/reader035/viewer/2022081401/5572124c497959fc0b9064d9/html5/thumbnails/5.jpg)
Byzantine Hades
• Byzantine Hades is linked to the First Technical Recon Bureau (TRB) – a division under the GSD 3rd Department of China’s Peoples Liberation Army* - China’s equivalent of the NSA
*http://www.strategypage.com/htmw/htiw/articles/20110417.aspx
![Page 6: Greg Hoglund - Understanding Chinese APT Hackers: Attribution, Attack Trends and Why It Matters](https://reader035.vdocuments.site/reader035/viewer/2022081401/5572124c497959fc0b9064d9/html5/thumbnails/6.jpg)
Where to learn more
This report details the 3rd Department and it’s various bureaus
![Page 7: Greg Hoglund - Understanding Chinese APT Hackers: Attribution, Attack Trends and Why It Matters](https://reader035.vdocuments.site/reader035/viewer/2022081401/5572124c497959fc0b9064d9/html5/thumbnails/7.jpg)
Public Information
• Aurora, Shady RAT, Night Dragon, and others are linked to this single government-sponsored spying program
• These attacks have been running since 2003
They have been penetrating U.S. & foreign networks for NINE YEARS
![Page 8: Greg Hoglund - Understanding Chinese APT Hackers: Attribution, Attack Trends and Why It Matters](https://reader035.vdocuments.site/reader035/viewer/2022081401/5572124c497959fc0b9064d9/html5/thumbnails/8.jpg)
Chinese Freelancers
• Not all attacks appear to originate directly from government systems. Some appear to be ‘freelancer’ hacking groups – but they target the same kinds of data in similar ways
![Page 9: Greg Hoglund - Understanding Chinese APT Hackers: Attribution, Attack Trends and Why It Matters](https://reader035.vdocuments.site/reader035/viewer/2022081401/5572124c497959fc0b9064d9/html5/thumbnails/9.jpg)
Attack strategies
• Extensive use of hash cracking, rainbow tables
– PTH toolkit and friends
• Entrenchment strategy
– Multiple backup plans, backup CNC protocol & servers both
• Avoidance of packing, rootkits, etc.
• Staging data for exfil
– Watch out for 3-day weekends
![Page 10: Greg Hoglund - Understanding Chinese APT Hackers: Attribution, Attack Trends and Why It Matters](https://reader035.vdocuments.site/reader035/viewer/2022081401/5572124c497959fc0b9064d9/html5/thumbnails/10.jpg)
Why do they stay in?
• Polymorphism
• Private source code
• Small number of targets
– not addressed by “big” AV
• Translate.google.com example
• Hide in plain sight
![Page 11: Greg Hoglund - Understanding Chinese APT Hackers: Attribution, Attack Trends and Why It Matters](https://reader035.vdocuments.site/reader035/viewer/2022081401/5572124c497959fc0b9064d9/html5/thumbnails/11.jpg)
Example
– seclogon.dll malware RAT
– seclogin.dll legitimate binary
– TTP: drops 1.txt, 2.txt into c:\RECYCLER, etc…
![Page 12: Greg Hoglund - Understanding Chinese APT Hackers: Attribution, Attack Trends and Why It Matters](https://reader035.vdocuments.site/reader035/viewer/2022081401/5572124c497959fc0b9064d9/html5/thumbnails/12.jpg)
Cracking hashes remains the primary attack method
![Page 13: Greg Hoglund - Understanding Chinese APT Hackers: Attribution, Attack Trends and Why It Matters](https://reader035.vdocuments.site/reader035/viewer/2022081401/5572124c497959fc0b9064d9/html5/thumbnails/13.jpg)
A collection of utilities found on a CNC server
![Page 14: Greg Hoglund - Understanding Chinese APT Hackers: Attribution, Attack Trends and Why It Matters](https://reader035.vdocuments.site/reader035/viewer/2022081401/5572124c497959fc0b9064d9/html5/thumbnails/14.jpg)
C:\RECYCLER a.bat asx1.rar asx2.rar C:\$RECYCLE.BIN run.bat loe.rar
net use \\machine1\ipc$ pass DOMAIN/user
dir \\machine1\c$
net use \\machine2\ipc$ pass DOMAIN/user
dir \\machine2\c$
net use \\machine2\ipc$ pass DOMAIN/user
dir \\machine2\c$
Batch files are common
![Page 15: Greg Hoglund - Understanding Chinese APT Hackers: Attribution, Attack Trends and Why It Matters](https://reader035.vdocuments.site/reader035/viewer/2022081401/5572124c497959fc0b9064d9/html5/thumbnails/15.jpg)
Installing a sethc.exe backdoor
![Page 16: Greg Hoglund - Understanding Chinese APT Hackers: Attribution, Attack Trends and Why It Matters](https://reader035.vdocuments.site/reader035/viewer/2022081401/5572124c497959fc0b9064d9/html5/thumbnails/16.jpg)
Anti-forensics
Cleans the log Adds/removes services Stomps filetimes Removes last login times Secure deletes files Zaps slack disk …
![Page 17: Greg Hoglund - Understanding Chinese APT Hackers: Attribution, Attack Trends and Why It Matters](https://reader035.vdocuments.site/reader035/viewer/2022081401/5572124c497959fc0b9064d9/html5/thumbnails/17.jpg)
GAP
Prepare Infect Interact Exploit
Reconnaissance
Weaponization
Delivery
Detonation
Command and Control
Escalation & Lateral Movement
Entrenchment
Data Exfiltration
Defense Solutions
Attacker’s exposure
Cost to attacker
High detection potential
Cost to remediate
Attack Progression
![Page 18: Greg Hoglund - Understanding Chinese APT Hackers: Attribution, Attack Trends and Why It Matters](https://reader035.vdocuments.site/reader035/viewer/2022081401/5572124c497959fc0b9064d9/html5/thumbnails/18.jpg)
October 17, 2012 18
*Source for graph: Verizon Data Breach Report 2010
Average length of time before Shady RAT was discovered: 8 ½ months
Length of time from “Compromise to Discovery” in 2010*
Also..
Time Exploited
![Page 19: Greg Hoglund - Understanding Chinese APT Hackers: Attribution, Attack Trends and Why It Matters](https://reader035.vdocuments.site/reader035/viewer/2022081401/5572124c497959fc0b9064d9/html5/thumbnails/19.jpg)
Future / Emerging Vectors
![Page 20: Greg Hoglund - Understanding Chinese APT Hackers: Attribution, Attack Trends and Why It Matters](https://reader035.vdocuments.site/reader035/viewer/2022081401/5572124c497959fc0b9064d9/html5/thumbnails/20.jpg)
Social Media + Bring Your Own Device
bit.ly ? You can’t even tell what you are clicking on…
![Page 21: Greg Hoglund - Understanding Chinese APT Hackers: Attribution, Attack Trends and Why It Matters](https://reader035.vdocuments.site/reader035/viewer/2022081401/5572124c497959fc0b9064d9/html5/thumbnails/21.jpg)
Social Networking Space
Injected Java-script
Social Networking Attack (I)
![Page 22: Greg Hoglund - Understanding Chinese APT Hackers: Attribution, Attack Trends and Why It Matters](https://reader035.vdocuments.site/reader035/viewer/2022081401/5572124c497959fc0b9064d9/html5/thumbnails/22.jpg)
Social Networking Space
Social Network Attack (II)
Compromised Credential
![Page 23: Greg Hoglund - Understanding Chinese APT Hackers: Attribution, Attack Trends and Why It Matters](https://reader035.vdocuments.site/reader035/viewer/2022081401/5572124c497959fc0b9064d9/html5/thumbnails/23.jpg)
The New CNC
![Page 24: Greg Hoglund - Understanding Chinese APT Hackers: Attribution, Attack Trends and Why It Matters](https://reader035.vdocuments.site/reader035/viewer/2022081401/5572124c497959fc0b9064d9/html5/thumbnails/24.jpg)
Continuous Protection
![Page 25: Greg Hoglund - Understanding Chinese APT Hackers: Attribution, Attack Trends and Why It Matters](https://reader035.vdocuments.site/reader035/viewer/2022081401/5572124c497959fc0b9064d9/html5/thumbnails/25.jpg)
Make your Infrastructure Smarter
Compromise Detected
Reimage Machine Get Threat Intel
More Compromise
Scan Hosts
Intelligent Perimeter
Host Analysis
Event Timeline
Malware Strings
IP, DNS, URL
Registry Scan NTFS Scan
Memory Scan
Update
GPO’s
Update
NIDS
Update
AV
event
![Page 26: Greg Hoglund - Understanding Chinese APT Hackers: Attribution, Attack Trends and Why It Matters](https://reader035.vdocuments.site/reader035/viewer/2022081401/5572124c497959fc0b9064d9/html5/thumbnails/26.jpg)
Enterprise-wide Physical Memory and Processes
![Page 27: Greg Hoglund - Understanding Chinese APT Hackers: Attribution, Attack Trends and Why It Matters](https://reader035.vdocuments.site/reader035/viewer/2022081401/5572124c497959fc0b9064d9/html5/thumbnails/27.jpg)
Enterprise-wide registry and Windows objects
![Page 28: Greg Hoglund - Understanding Chinese APT Hackers: Attribution, Attack Trends and Why It Matters](https://reader035.vdocuments.site/reader035/viewer/2022081401/5572124c497959fc0b9064d9/html5/thumbnails/28.jpg)
Group Tour
![Page 29: Greg Hoglund - Understanding Chinese APT Hackers: Attribution, Attack Trends and Why It Matters](https://reader035.vdocuments.site/reader035/viewer/2022081401/5572124c497959fc0b9064d9/html5/thumbnails/29.jpg)
APT Group
• Multiple DoD contractor targets • 30+ C&C domains in play
– nilaye.com, helpmgr.net, etc… – Registrations thru ENOM, Inc.
• ~10 Personas – Wal Rook (culture reference: Chinese general) – Tom Hansen – Tom Hason variant
• Full featured C&C protocol • No stealth
![Page 30: Greg Hoglund - Understanding Chinese APT Hackers: Attribution, Attack Trends and Why It Matters](https://reader035.vdocuments.site/reader035/viewer/2022081401/5572124c497959fc0b9064d9/html5/thumbnails/30.jpg)
Parking
• Used to park at 127.0.0.1, now parking at yahoo.com, google, blogspot, etc…
• No longer 255.255.255.255, 1.1.1.1, etc…
• Indicates they know you are using DNS logs to find parked domains
• HBGary has new methods to discover these website-parked domains
– This involves data mining search engine web caches for historical indexed content of yahoo, etc.
![Page 31: Greg Hoglund - Understanding Chinese APT Hackers: Attribution, Attack Trends and Why It Matters](https://reader035.vdocuments.site/reader035/viewer/2022081401/5572124c497959fc0b9064d9/html5/thumbnails/31.jpg)
APT Group
• DoD contractor-wide compromises
• Full RAT, many variants, private sourcecode
– Drops malicious screensaver, executable, DLL
• C&C protocol unchanged
– All use the same DNS registration email
– New registration email appeared recently
– ~5 Personas (variants of Xue) • Xue Lan, Lan Xue, Xue Sun, Sun Xue
• Serves malicious PDF from “esnips” social networking site
– FY11_DSDLP.PDF DoD program
![Page 32: Greg Hoglund - Understanding Chinese APT Hackers: Attribution, Attack Trends and Why It Matters](https://reader035.vdocuments.site/reader035/viewer/2022081401/5572124c497959fc0b9064d9/html5/thumbnails/32.jpg)
Unique String Tracking
• Group uses a consistent RAT built from private source code
• HBGary has specific unique strings that always appear in this group’s malware
– These can be scanned for in physical memory
![Page 33: Greg Hoglund - Understanding Chinese APT Hackers: Attribution, Attack Trends and Why It Matters](https://reader035.vdocuments.site/reader035/viewer/2022081401/5572124c497959fc0b9064d9/html5/thumbnails/33.jpg)
Infection Phases
• babysleep.scr connect to
– goodfeelingauto.com
• drops auto.exe
• We have also seen several other variants
– i.e., party.exe from mysundayparty.com
• This is all the same malware, but with different compile times, indicating private sourcecode
![Page 34: Greg Hoglund - Understanding Chinese APT Hackers: Attribution, Attack Trends and Why It Matters](https://reader035.vdocuments.site/reader035/viewer/2022081401/5572124c497959fc0b9064d9/html5/thumbnails/34.jpg)
APT Group
• Very widespread, 30-50 known victims – DoD contractors, manufacturing, etc.
• Rasauto32 backdoor, nwsapagent backdoor • C&C: infosupports.com, blackcake.net,
purpledaily.org, many others • Persona: Yingxi Yuan for registrations • TTP: drop MD5-modified version of cmd.exe
– Sometimes dropped as “ati.exe” – Change metadata to ‘Macrosoft’ for example – Trying to hide this shell from your MD5 sweeps
![Page 35: Greg Hoglund - Understanding Chinese APT Hackers: Attribution, Attack Trends and Why It Matters](https://reader035.vdocuments.site/reader035/viewer/2022081401/5572124c497959fc0b9064d9/html5/thumbnails/35.jpg)
APT Group
• Well over a dozen known DoD contractors hit • Uses google code site for C&C, base64 encoded
comments • Usernames all variants of XSL/XLS
– XSL2012, XLS2012 transposed – XXTALTAL, XXTALATL transposed – XSLPROFILE
• Recently this group changed to a new naming scheme and made pages private – HBGary has a means to extract cleartext from these
private versions via google-cache
![Page 36: Greg Hoglund - Understanding Chinese APT Hackers: Attribution, Attack Trends and Why It Matters](https://reader035.vdocuments.site/reader035/viewer/2022081401/5572124c497959fc0b9064d9/html5/thumbnails/36.jpg)
Backdoor connects to compromised web server
Web server that has been compromised
by hacker
Backdoor downloads base64 encoded file containing instructions
Command and Control
A.
B.
D.
C.
HTML to make this look like a 404 error page.
![Page 37: Greg Hoglund - Understanding Chinese APT Hackers: Attribution, Attack Trends and Why It Matters](https://reader035.vdocuments.site/reader035/viewer/2022081401/5572124c497959fc0b9064d9/html5/thumbnails/37.jpg)
![Page 38: Greg Hoglund - Understanding Chinese APT Hackers: Attribution, Attack Trends and Why It Matters](https://reader035.vdocuments.site/reader035/viewer/2022081401/5572124c497959fc0b9064d9/html5/thumbnails/38.jpg)
![Page 39: Greg Hoglund - Understanding Chinese APT Hackers: Attribution, Attack Trends and Why It Matters](https://reader035.vdocuments.site/reader035/viewer/2022081401/5572124c497959fc0b9064d9/html5/thumbnails/39.jpg)
![Page 40: Greg Hoglund - Understanding Chinese APT Hackers: Attribution, Attack Trends and Why It Matters](https://reader035.vdocuments.site/reader035/viewer/2022081401/5572124c497959fc0b9064d9/html5/thumbnails/40.jpg)
![Page 41: Greg Hoglund - Understanding Chinese APT Hackers: Attribution, Attack Trends and Why It Matters](https://reader035.vdocuments.site/reader035/viewer/2022081401/5572124c497959fc0b9064d9/html5/thumbnails/41.jpg)
![Page 42: Greg Hoglund - Understanding Chinese APT Hackers: Attribution, Attack Trends and Why It Matters](https://reader035.vdocuments.site/reader035/viewer/2022081401/5572124c497959fc0b9064d9/html5/thumbnails/42.jpg)
C&C control files
• Group has C&C servers running in Hong Kong and also at a Chinese university
• Updates to OPSEC
– Company_name.html old way
– Sexy_monkey.html new way
![Page 43: Greg Hoglund - Understanding Chinese APT Hackers: Attribution, Attack Trends and Why It Matters](https://reader035.vdocuments.site/reader035/viewer/2022081401/5572124c497959fc0b9064d9/html5/thumbnails/43.jpg)
APT Group
• spoolsv RAT, man-in-the-middle print driver
• C&C is designed to look like HP driver update
– This is fairly advanced compared to other groups
• C&C DNS: hpwsvs.com, others…
• Full RAT, remote command shell
• Creates DNS strings with single-byte pushes
![Page 44: Greg Hoglund - Understanding Chinese APT Hackers: Attribution, Attack Trends and Why It Matters](https://reader035.vdocuments.site/reader035/viewer/2022081401/5572124c497959fc0b9064d9/html5/thumbnails/44.jpg)
Takeaway
• Use your threat intelligence
• You need endpoint visibility
• The perimeter is vanishing
• Security is a counter intelligence problem, not a technology
– Security will not be provided solely by blinking appliances in the rack
![Page 45: Greg Hoglund - Understanding Chinese APT Hackers: Attribution, Attack Trends and Why It Matters](https://reader035.vdocuments.site/reader035/viewer/2022081401/5572124c497959fc0b9064d9/html5/thumbnails/45.jpg)
HBGary Active Defense dramatically reduced the time between network intrusion and discovery.
- U.S. Government Contractor
We can't live without it. Active Defense is saving us major money.
- Top 10 Financial Institution
Digital DNA is a game changer.
- Big Consulting Company
Responder with Digital DNA is definitely a need-to-have item in our toolbox.
- VP eCrime Unit, Fortune 50 Bank
![Page 46: Greg Hoglund - Understanding Chinese APT Hackers: Attribution, Attack Trends and Why It Matters](https://reader035.vdocuments.site/reader035/viewer/2022081401/5572124c497959fc0b9064d9/html5/thumbnails/46.jpg)
Thank you Q&A For more information: http://hbgary.com/publications Request a copy of “APT World at War: Region China” poster Contact: [email protected]