potential for false flag operations in the dnc hack - sans.org · in the dnc hack jake williams...

Potential for false flag operations

in the DNC Hack

Jake Williams

Rendition Infosec

rsec.us

@MalwareJake

http://www.rsec.us

• Passionate about security

• More than a decade of InfoSec experience

• Some things about me:

– Forensic Analyst

– Incident Responder

– Vulnerability Researcher

– SANS Instructor/Course Author

– Conference Addict

# whoami

(C) 2016 Rendition Infosec - Jake Williams

• Why do we care?

• Overview of the hack

• TTPs known to be used

• File metadata from exfiltrated docs

• False flag opportunities

Agenda


• Suppose your organization is concerned with

politics

– Or Russia

– Or Foreign Policy

• Your leaders want you to validate the attribution

and help them understand the connections

between the DNC hack and Russia

• Leadership is reading about the Guccifer 2.0

character and is worried about lone actors

Why do we care?


• 14JUN – DNC hack announced (more or less) by

Crowdstrike

• 15JUN – Guccifer 2.0 takes credit, Russia

publicly denies involvement

– “maybe someone forgot the password”

• 18JUN, 21JUN – Guccifer 2.0 releases more

docs

• 20JUN – Threatgeek posts findings from malware

analysis

• 22JUN – Guccifer 2.0 opens DMs for media

inquiries

Attack Timeline


• While it’s possible that Guccifer is a Russian

puppet, he really dislikes Crowdstrike

Guccifer Really Dislikes Crowdstrike


CrowdStrike Stands by Analysis


• TTPs used by the attacker

• Specific malware used

• Malware characteristics observed

• Command and control domains, IP

addresses, and other infrastructure

Attribution Considerations


On Validating Attribution


Observable Facts

>Other’s

Analyses

Diamond Model

Our Diamond Model

Russia???Other actor?

Email serverIRC/Chat server

SeaDaddyPowershellX-AgentX-Tunnel

185.100.84.13458.49.58.58218.1.98.203187.33.33.80185.86.148.22745.32.129.18523.227.196.217

• Capability

– Credential theft

– Living off the land

• Infrastructure

– Multiple IP addresses and malware

– Domains not specified in Crowdstrike reporting

• Victim

– DNC email and chat servers (and certainly

others)

What do we know?


• Quickly pivoted from reported IP 185.100.84.134

• Looks like a pretty low reputation CIDR…

• Thanks RecordedFuture!

Infrastructure


• Quickly pivoted from reported IP 185.100.84.134

• Taking a look at domains related to this IP –

nothing from Domain Tools

Infrastructure (2)


• Being from Romania isn’t necessarily bad

Infrastructure


• Earlier websites seen used by SEADUKE

malware were compromised

– Renders reverse whois useless…

TTPs – Compromised Websites for C2


• Looks like 58.49.58.58 is running an Apache web

server – in China

Let’s try another IP


• No info in mnemonic or virustotal for 58.49.58.58

either

Let’s try another IP (2)


• The attackers either have to purchase or

compromise C2

• If purchased, there may be links we can follow

– Registration email

– Where is the domain parked

• If compromised, there may be something

common in the targets that suggests a particular

capability

– Perhaps all compromised domains are running

Drupal or Wordpress

Why the focus on C2?


• Malware artifacts may also say something about

the attacker

• These are easy to fake – we do it all the time at

Rendition Infosec

• Black Hills Infosec used to provide a service to

embed APT related strings in existing binaries

• Ed Skoudis has been saying for years that

connections to the Stuxnet code can’t really be

trusted – too easy to false flag

• Powershell is just text – too easy to copy “coding

styles”

Malware Artifact Challenges


• ThreatGeek reported that X-Tunnel sample had

embedded OpenSSL 1.0.1e

– Heartbleed vulnerable!

• Attackers reused some C2 IP addresses

hardcoded into the DNC X-Tunnel sample from a

sample seen in the German Parliament attack in

2015

• FireEye reporting links malware in the German

Parliament attack to Russia

Malware Artifacts of Interest


• Many stolen documents have been

released by Guccifer 2.0

• Some metadata seems more than a little

off…

Document Metadata


Document Metadata


• Copying Powershell from other reports

• Planting malware artifacts

• Using compromised C2 servers from multiple

countries rather than registering domains

• Planting document metadata

• Use of social media puppet with broken English

• Publicly discrediting the work of researchers

False Flag Opportunities


• Sure we’ve seen the PowerShell key before

– But you can create “Russian Malware” using it too!

False Flag PowerShell


• I went to register the Wordpress blog guccifer3

– Someone else had already done it…

False Flag Puppet Blogs


• No time to cover full ACH, but here are some

hypothesis

– It was Russia and Guccifer 2.0 is a puppet

– It was another unknown state actor

– Guccifer 2.0 and the Russians both hacked the

DNC independently

– The docs leaked by Guccifer 2.0 are all fake

– There was never any compromise of the DNC

Some ACH Love


• With the data publicly available today, we can’t

conclude with certainty

• But based on available evidence, most probably…

So Whodunnit?


• Thanks for your attention

• Open the floor to questions

• Hit me up at:

– @Malwarejake

– [email protected]

– rsec.us


Obligatory Questions Slide

potential for false flag operations in the dnc hack - sans.org · in the dnc hack jake williams...

Documents