Post on 20-Sep-2018
La defensa del patrimonio tecnológico
frente a los ciberataques
10 y 11 de diciembre de 2014
www.ccn-cert.cni.es © 2014 Centro Criptológico Nacional
C/Argentona 20, 28023 MADRID
APT28:
¿Una ventana a las operaciones de Ciber-Espionaje Ruso?
VIII JORNADAS STIC CCN-CERT
www.ccn-cert.cni.es
Fireeye / Mandiant
Ricardo Hernandez Calleja
Ricardo.hernandez@fireeye.com
VIII JORNADAS STIC CCN-CERT
FIREEYE MISSION
MORE ESSENTIAL THAN EVER TO THE WORLD’S ECONOMY
TECHNOLOGY INFRASTRUCTURE
COSTS OF COMPROMISE PALPABLE
THREATS TO INFRASTRUCTURE ARE REAL
WITH THE MOST ADVANCED TECHNOLOGY, THREAT INTELLIGENCE AND THE
WORLD’S MOST EXPERIENCED RESEARCHERS AND INCIDENT RESPONDERS
WE ARE COMMITTED TO STOPPING CYBER THREATS
CYBER SECURITY HAS NEVER BEEN MORE
CRITICAL
VIII JORNADAS STIC CCN-CERT
4
2. Objetivos de APT28 coinciden con los Intereses de Rusia
Índice
3. Características del Malware apuntan a programadores
rusos
4. Conclusiones
1. Claves encontradas en APT28
www.ccn-cert.cni.es
VIII JORNADAS STIC CCN-CERT
5
APT28
Claves Encontradas
www.ccn-cert.cni.es
VIII JORNADAS STIC CCN-CERT
APT28 Key Findings
APT28 targets insider information
related to governments,
militaries, and security
organizations that would likely
benefit the Russian government.
APT28 primarily targets Georgia,
Eastern Europe, and
European security organizations
using skillfully engineered
malware which was created
during normal
working hours in Moscow.
VIII JORNADAS STIC CCN-CERT
APT28 Primary Targets
VIII JORNADAS STIC CCN-CERT
APT28 Malware Overview
VIII JORNADAS STIC CCN-CERT
APT28 Malware Created in Moscow?
VIII JORNADAS STIC CCN-CERT
10
Coincidentes con
intereses de Rusia
Objetivos de APT28
www.ccn-cert.cni.es
VIII JORNADAS STIC CCN-CERT
Targeting: Caucasus Region
VIII JORNADAS STIC CCN-CERT
Targeting: Georgian Ministry of Internal Affairs
VIII JORNADAS STIC CCN-CERT
Targeting: Caucasus Region Militaries and Media
• Georgian military
• Armenian military
• Kavkaz Center
VIII JORNADAS STIC CCN-CERT
Targeting: Eastern Europe
• Ministry of Foreign Affairs infected
• Polish government targeted with CORESHELL
• MH17 lure
• Baltic Host exercises
VIII JORNADAS STIC CCN-CERT
Targeting: Eastern Europe
VIII JORNADAS STIC CCN-CERT
Targeting: European Security Organizations
• NATO
• OSCE
VIII JORNADAS STIC CCN-CERT
Targeting: Defense Attaches
• UK
• Turkey
• China
• Japan
• South Korea
VIII JORNADAS STIC CCN-CERT
Targeting: Defense
VIII JORNADAS STIC CCN-CERT
Targeting: Wide-ranging Interests
VIII JORNADAS STIC CCN-CERT
Lures
VIII JORNADAS STIC CCN-CERT
Lures
VIII JORNADAS STIC CCN-CERT
22
Malware apunta a
programadores Rusos
Características
www.ccn-cert.cni.es
Actualizado desde 2007
VIII JORNADAS STIC CCN-CERT
Malware
VIII JORNADAS STIC CCN-CERT
Malware
VIII JORNADAS STIC CCN-CERT
Malware: Ecosystem
VIII JORNADAS STIC CCN-CERT
Malware: Counter-analysis
• Unused machine instructions
• Runtime checks
• Obfuscated strings
• RSA encryption of stolen data
VIII JORNADAS STIC CCN-CERT
Malware: Updated Since 2007
• New network traffic formats, export functions, filenames
• Removed Russian language resources
VIII JORNADAS STIC CCN-CERT
Malware Variants
• CHOPSTICK backdoor
• HTTP variant
• SMTP variant
• Removable drive variant
• EVILTOSS backdoor
• x86 HTTP variant
• x64 HTTP variant
• x86 SMTP variant
VIII JORNADAS STIC CCN-CERT
Russian language in the code
• Locale and language identifiers associated with APT28 malware
VIII JORNADAS STIC CCN-CERT
When were developers working?
VIII JORNADAS STIC CCN-CERT
31
Conclusión
www.ccn-cert.cni.es
VIII JORNADAS STIC CCN-CERT
VIII JORNADAS STIC CCN-CERT
VIII JORNADAS STIC CCN-CERT
Questions?
Síguenos en Linked in
E-Mails
ccn-cert@cni.es
info@ccn-cert.cni.es
ccn@cni.es
sondas@ccn-cert.cni.es
redsara@ccn-cert.cni.es
carmen@ccn-cert.cni.es
organismo.certificacion@cni.es
Websites
www.ccn.cni.es
www.ccn-cert.cni.es
www.oc.ccn.cni.es