Attribution of Advanced Persistent Threats How to Identify the Actors BeHind Cyber-Espionage
by Timo Steffens, 2020
Springer Vieweg
ISBN 978-3-662-61312-2
| Page | Note |
|---|---|
| “Nothing made by a human can avoid persional expression” - Hrant Papazian | |
| attribution is a team sport | |
| attribution | |
| Juergen Schmidt | |
| Germany | |
| Martin Boerger | |
| Stefan Ritter | |
| Selma Jabour | |
| Vault 7 documents | |
| Gavin O’Gorman | |
| Collon Anderson | |
| Michael Raggi | |
| art vs. science | |
| security research | |
| xiii | *big list of acronyms |
| 3 | Advanced Persistent Threat |
| data theft | |
| sensitive document | |
| attribution: the analysis process that attempts to answer who was behind a cyber activity and why they did it | |
| cybercriminals are rarely identified or indicted | |
| law enforcement | |
| anonymity | |
| Internet | |
| credit card fraud | |
| ATM jackpotting | |
| German Federal Office for Security in Information Technology (BSI) | |
| 4 | Russia - APT28 |
| BfV - German Federal Office for the Protection of the Constitution | |
| Hans-Georg Maassen | |
| GRU | |
| The Bundestag Case | |
| Iran-Saudi-Aramco hack 2012 | |
| Mandiant | |
| PLA | |
| North Korea - Sony 2013 | |
| GRU - Democratic National Committee (DNC) 2016 | |
| World Anti-Doping Agency | |
| En-March movement | |
| France presidential election campaign 2017 | |
| attribution used to be only important to few for technical reasons | |
| attribution is important for political, social, and strategic reasons | |
| attribution is rarely covered in media | |
| “The Cuckoo’s Egg” - Clifford Stoll | |
| Pentagon | |
| NASA | |
| HGB | |
| Hanover | |
| Tor | |
| 5 | Hanoverian hackers were successful by password guessing and password theft |
| attribution has evolved because technology has evolved | |
| “attribution” as a term introduced by the military | |
| USAF | |
| China | |
| WikiLeaks | |
| US Department of State | |
| Byzantine Hades | |
| targeted attack | |
| cyber espionage, computer espionage | |
| 6 | hacktivism |
| cyber attack | |
| GhostNet - University of Toronto 2009 | |
| Operation Aurora - Google 2010 | |
| Trend Micro | |
| McAfee | |
| Mandiant - APT1 | |
| 7 | more than 130 APT groups documented |
| antivirus | |
| APT phrase misuse by vendors and media | |
| banking trojan | |
| Zeus | |
| Ursnif | |
| lateral movement | |
| threat intelligence as a service | |
| 8 | killchain of typical APT attacks |
| APTs act over months/years | |
| reconnaissance | |
| delivery - phishing, exploit, vulnerability | |
| 9 | installation of malware |
| operating system | |
| social engineering | |
| malicious link | |
| macro | |
| lateral movement | |
| exfiltration | |
| erasing evidence, cleanup | |
| *table of techniques used by APTs | |
| 10 | reconnaissance |
| social media | |
| recon info sources | |
| intelligence agency | |
| why do actors select the targets that they do? | |
| rules of engagement | |
| how do actors pick relevant targets? | |
| embassy | |
| misconception of VIPs being targeted | |
| reality of attacking weakest link of the chain | |
| 11 | media sector is heavily targeted |
| APTs take time to find targets not publicly visible | |
| Desert Falcons | |
| Kaspersky Lab | |
| Middle East | |
| cyber mercenaries | |
| Israeli Defense Forces (IDF) | |
| fake social media acounts | |
| joining communities online related to targets | |
| Gaza + in uniform = target | |
| Facebook Messenger | |
| Arabic | |
| Israel | |
| Android | |
| actors tricked targets into installing Android malware | |
| Lotus Blossom | |
| Southeast Asia | |
| actors targeting security researchers | |
| actors gleaned targets by reading blogs and looking at convention speaker and attendee lists | |
| 12 | fake Palo Alto convention invites |
| Emissary malware | |
| malicious Word document | |
| attack observed prior on Hong Kong and Taiwanese targets | |
| exploiting vulnerable servers | |
| Deep Panda | |
| Acutenix used by Deep Panda | |
| webshell | |
| most web servers are scanned constantly, so it is easy for attackers to blend in with the noise | |
| poorly-managed servers stay vulnerable for a long time | |
| watering hole | |
| Africa | |
| fingerprinting | |
| IP address | |
| browser configuration | |
| 13 | Witch covens campaign: Snake APT group |
| whitelisting “interesting” targets for malware delivery | |
| selective targeting helps attackers not be detected as easily as indiscriminate mass infections | |
| email attachment | |
| attack vector | |
| tailored attack | |
| lure documents | |
| Symantec | |
| Tibet | |
| APTS often adapt to their targets | |
| 14 | Google Docs |
| password-protected website | |
| dropper | |
| APK file | |
| Google Play Store | |
| smartphone | |
| play store scans for malware | |
| attackers duped targets to install malicious chat programs because it was “easier to share pictures” | |
| Content Management Software (CMS) | |
| WordPress | |
| Joomla | |
| attackers targeted CMS systems | |
| server-side exploits | |
| HTTP protocol | |
| client-side exploit | |
| incident handler | |
| FireEye, Symantic, Palo Alto, Kaspersky | |
| 15 | FireEye - attacks go undetected for ~146 days |
| companies delete logs periodically for privacy reasons or to save storage space | |
| foothold | |
| lateral movement is often easy after initial access | |
| evasion | |
| backdoor | |
| command and control | |
| 0-day | |
| attackers often dont even need exploits | |
| users confirm running macros | |
| 16 | multi-stage malware |
| cat-and-mouse | |
| firewall bypass | |
| Java, Flash | |
| lateral movement | |
| 17 | privilege escalation |
| security community | |
| privesc often has lower priority to address | |
| security updates | |
| mimikatz | |
| pass-the-hash | |
| password dump | |
| password hash | |
| attackers look for interesting files | |
| keyword search | |
| directory listings | |
| multi-tiered persistence | |
| Domain Controller | |
| 18 | RUAG - Swiss Company |
| Snake compromise of RUAG | |
| Golden Ticket | |
| living off the land | |
| WMI | |
| PowerShell | |
| Deep Panda + Snake were early adopters of LOTL | |
| attackers are selective on what they exfiltrate | |
| evaluating stolen documents is labor-intensive | |
| staging server (exfiltration) | |
| 19 | RAR |
| FTP, HTTP, HTTPS - usually not blocked | |
| malware typically uses encryption when exfiltrating data | |
| many APTs develop their own encryption | |
| developing cryptography is hard | |
| attribution via cryptography | |
| Snake developed their own CAST128 and AES implementations | |
| German Office for Foreign Affairs - Snake 2018 | |
| exfiltration via email when HTTP is monitored | |
| exfiltration to stolen/fraudulently-obtained intermediary servers | |
| OPSEC | |
| OPSEC is practiced to varying degrees of success by APT groups | |
| some APT groups dont care about OPSEC | |
| 20 | NSA, CIA |
| DNS | |
| *references | |
| 23 | attribution by spoken language clues |
| ethics of attribution | |
| USDOJ | |
| 24 | indictment |
| attribution via intelligence agency data that cannot be disclosed | |
| governments deny involvement to protect themselves and their people from harm | |
| human nature to want to know who’s responsible | |
| knowing the perpetrators gives a lot of context | |
| people psychologically cannot handle events that happen by chance | |
| “it is irrelevant who is behind the attack” mantra | |
| patching | |
| 25 | knowing which APTs attack which verticals can help prioritize security measures |
| Chinese Five-Year Plan | |
| land of the dragon | |
| attribution gave USA leverage against China | |
| Barack Obama | |
| Xi Jinping | |
| cyber policy | |
| sanction | |
| intellectual property | |
| silver bullet | |
| risk-benefit ratio | |
| 26 | India, Pakistan |
| White House | |
| strategically-placed implants to use in the result of a conflict | |
| power grid | |
| telecommunications | |
| arrest warrant | |
| attribution as a deterrent | |
| attribution’s impact on public opinion | |
| Debbie Wasserman Schultz | |
| French elections 2016, 2017 | |
| hack-and-leak | |
| Robin Hood | |
| attribution originated in psychology - Fritz Heider | |
| social psychology’s similarity to cyber attribution | |
| 27 | attack, campaign |
| 2017 phishing attacks on nuclear power plants - phishing, fake employee applications | |
| Canada, Ireland, Norway | |
| activity cluster | |
| IoC | |
| IP address as an IoC | |
| “Controls Engineer.docx” | |
| filename IoC | |
| atomic IoC | |
| 28 | *table of IoC types |
| computed IoC | |
| complex IoC | |
| threat intelligence | |
| TTP | |
| hackers are creatures of habit | |
| 29 | MITRE ATT&CK |
| detection rules | |
| Sigma | |
| intrusion set | |
| Palmetto Fusion | |
| threat actor | |
| naming conventions of threat actors and APT groups | |
| 30 | CrowdStrike |
| APT41 - FireEye uses “APTXXX” | |
| APT32 - Vietnam | |
| Red October | |
| Cloud Atlas | |
| cloud services for exfiltration | |
| ESET | |
| strings in malware | |
| CrowdStrike APT naming convention | |
| - Russia: Bear | |
| - China: Panda | |
| - Iran: Kitten | |
| - North Korea: Chollima | |
| Rosetta Stone | |
| Egypt | |
| 31 | BlackVine |
| Iron Man | |
| Technetium | |
| Winnti | |
| virtual currency theft | |
| * table of APT names | |
| 32 | Diamond Model |
| 33 | Palmetto Fusion |
| SMB | |
| intrusion sets to attribution | |
| 34 | ~85% of adversaries assigned to a country |
| only a fraction of adversaries attributed to a specific organization or individual | |
| pseudoscience | |
| attribution dice | |
| MiniDuke | |
| Great Britain | |
| Uzbekistan | |
| Turkey | |
| state-sponsored vs criminal motivation | |
| GRU, PLA | |
| X-Agent malware | |
| 35 | phases of attribution |
| - data collection | |
| - clustering | |
| - state-sponsored or criminal | |
| - attribution to country of origin | |
| - attribution to organizations/persons | |
| - assessing confidence, communicating hypothesis | |
| Mutasis mutandis | |
| antivirus sensors collecting telemetry | |
| opting out of telemetry sent to AV vendors | |
| Palestine | |
| Lebanon | |
| Flame malware | |
| sometimes customers inform vendors of malware | |
| statistical algorithms | |
| 36 | BISCUIT, MINIASP, MANTISME malware |
| malware families | |
| malware sample | |
| categorizing malware samples | |
| configuration extractor | |
| attackers reusing email for domain registry | |
| passwords as attribution | |
| red herring | |
| 37 | 4C model: Collect, Cluster, Charge, Cummunicate |
| FireEye ATOMIC framework | |
| 38 | scale of attacks as attribution |
| actors dont directly connect to their targets | |
| vendors installing sensors on victim’s machines | |
| RDP | |
| China Unicom | |
| Pudong district, Shanghai | |
| RDP keyboard settings: Chinese | |
| 39 | circumstantial evidence |
| Military Unit Cover Designator 61389 | |
| Bureau 2 - Third Department of the General Staff Department | |
| 3PLA | |
| NSA | |
| SIGINT | |
| OPSEC | |
| UglyGorilla - MANTISME, domains, etc | |
| “ug” - Ugly Gorilla - Wang Dong | |
| Dota - hacker | |
| GMail | |
| Wang Dong | |
| phone prefix as attribution - 159, 2193 | |
| 40 | China Mobile |
| rootkit | |
| SuperHard_M | |
| Mei Qiang | |
| Auriga and Bangat malware | |
| in dubio pro reo – when in doubt, for the defendant | |
| FBI’s investigation methods aren’t public | |
| estimative language | |
| 41 | abductive reasoning – inferring the most likely explanation |
| 42 | assumptions that TAs will continue to use exploits/TTPs |
| assumption of APTs having unlimited budgets and resources | |
| APTs may work for more than one government/client | |
| Five Eyes: Australia, Canada, New Zealand, United Kingdom, United States | |
| Reign malware: Belgacom | |
| govermnents may subcontract hacking services | |
| 43 | Elderwood Framework - shared by many APTs |
| APTs going dark/re-emerging | |
| cyberespionage assumed to be a full time job | |
| open source malware used by APTs | |
| 44 | code similarity doesn’t happen by chance- assumption |
| cognitive fallacies | |
| security companies may have better visibility into certain regions, verticals, etc | |
| 45 | MICTIC framework |
| Q model - Thomas Rid and Ben Buchanan | |
| 46 | telemetry |
| cui bono | |
| 47 | Chinese ministry of State Security (MSS) |
| Winnti | |
| APT41 | |
| 53 | APT was erronesouly conflated with sophisticated malware |
| attackers often run several campaigns concurrently | |
| 54 | exploit, dropper, loader, payload, command and control, RAT, rootkit, password dumper, pass the hash tools |
| operators | |
| operators don’t usually require maldev skills | |
| operators often use open source tools | |
| operators often reuse same tools for years | |
| technically advanced groups tend to develop their own tools | |
| less savvy groups tend to use public tools | |
| 55 | Snake, Uroburos |
| APT1 | |
| Middle East | |
| PoisonIvy is popular in the Middle East | |
| PowerShell Empire used by APTs | |
| technically advanced operators trending towards using and extending public tools | |
| Cobalt Strike | |
| njRat | |
| APTs switching to Cobalt Strike after their toolsets outed | |
| MANTISME - APT1 | |
| SourFace - APT28 | |
| MiniDuke - APT29 | |
| Uroburos - Snake | |
| RemSec - Project Sauron | |
| PlugX - APT3, Aurora Panda | |
| Derusbi - APT17, Deep Panda | |
| mimikatz - APT1, APT28, Snake | |
| PoisonIvy - Nitro, TropicTrooper | |
| njRAT - Sphinx, MoleRats | |
| XtremeRAT - Deadeye Jackal, MoleRats | |
| Empire - Snake, APT33, WIRTE | |
| 56 | malware dev as a daily job rather than hobby |
| malware programming language choices | |
| C, C++, Delphi, PowerShell, Golang | |
| antivirus engines may be less optimized for uncommon languages | |
| development environment | |
| editor, linker, compiler, debugger | |
| object file | |
| APT1 - “File no exist”, “Fail To Execute The Command” | |
| malware authors should remove these messages from samples | |
| malware code reuse | |
| malware libraries | |
| 57 | kill chain |
| lateral movement | |
| WikiLeaks - Vault 7 - CIA | |
| Vault 7 had professional development guideline documents | |
| Vault 7 had documents for malware OPSEC | |
| CIA prioritized malware ease of use and uniformity to reduce the chances of blunders | |
| 58 | sample database: VirusTotal |
| false alarm, false positive | |
| VT uploads are mostly by non-experts | |
| more phishing lures and droppers on VT than rootkits or staged implants | |
| VT uploads can be tracked back to the uploader | |
| ESET - Eastern Europe | |
| Qihoo 360 - China | |
| Trend Micro - Japan and Germany | |
| 59 | prevalence, by region |
| file reputation | |
| hash-fingerprint | |
| one-site incident handling – Mandiant | |
| sharing of samples between companies and researchers | |
| Traffic Light Protocol - TLP | |
| TLP-WHITE, TLP-GREEN, TLP-AMBER, TLP-RED | |
| 60 | evidence - timestamps |
| PE build timestamp, 1969 vs 1970 (UNIX timestamp) | |
| patterns of life | |
| APT10 compiled samples with Russia, China, Mongolia, … working hours | |
| Cadelle group | |
| 61 | Iran has strange working hours: Sat-Wed, Thursday is a half day |
| Longhorn group - CIA attribution (Symantec) | |
| Symantec | |
| MTWRFSU | |
| Chinese New Year | |
| false flag | |
| 62 | a few APTs manipulate these timestamps - nulling usually |
| Spring Dragon - 2 timezones | |
| Language Resources - resources section | |
| Latin, Arabic, Cyrillic, Chinese, Greek, … | |
| codepage: 819, 720, 1251, … | |
| Zagruzchik - Russian for “bootloader” | |
| LadyBoyle exploit framework | |
| PDB path | |
| Visual Studio | |
| 63 | HangOver campaign |
| PDB path “users” in German is “Benutzer” | |
| - username may indicate nationality | |
| - path may reveal project or campaign names | |
| - date formats vary by culture | |
| CadelSpy | |
| Iranian Solar Calendar | |
| India - Appin Security Group | |
| strings | |
| PDBs and clustering | |
| PDBs are loose attribution | |
| 64 | Rich Headers - undocumented |
| Rich Headers as attribution | |
| 65 | malware family |
| machine learning | |
| control servers - configuration extractor | |
| reverse engineering | |
| malware VM detection | |
| 66 | sandbox |
| encryption as attribution | |
| Equation Group - RC5 constant | |
| TTP | |
| Reign also had this constant | |
| Belgium - Belgacom | |
| 67 | Vault 7 - do not self-develop crypto in more than one malware family |
| 71 | attack infrastructure |
| domain registry | |
| some APT groups have thousands of domain names | |
| Project Raven - UAE | |
| Project Raven’s leaked documents reveal that infrastructure team had dedicated offices | |
| 72 | compromise legitimate servers |
| Tor | |
| 73 | dedicated root server |
| VPS | |
| OPSEC considerations | |
| some groups use pre-configured VMs for convenience | |
| shared hosting | |
| DNS | |
| GDPR | |
| attackers use innocent-looking domain names | |
| 74 | many registrars allow anonymous registration |
| paying for domains with bitcoin - APT28 | |
| WhoisGuard, Privacy Protect, Domains by Proxy | |
| .tk (Tokelau) - South Pacific | |
| dynamic DNS | |
| dyndns, servebeer.com, no-ip.org | |
| subdomain | |
| Whois database | |
| silver bullet | |
| blocking dynamic DNS domains | |
| 75 | Nginx |
| bulletproof hosting | |
| VPN | |
| attackers disable logs in case their infrastructure is seized | |
| up to four layers of proxying | |
| peer-to-peer | |
| RSA company | |
| campaign code | |
| many APTs are reactive with OPSEC practices | |
| 76 | freemail - Gmail, mail.ru, Hotmail, Yahoo, 163.com |
| Whois protocol | |
| DomainTools, RiskIQ | |
| Whois reverse search | |
| actors re-visiting email addresses for multiple domains | |
| 77 | Dehli |
| passive DNS/pDNS | |
| attacers using one IP for several domains | |
| 78 | CDU - Germany |
| Turkey | |
| Snake - hijacked satellite providers | |
| DNS root server | |
| attackers re-using DNS servers | |
| 79 | Domains4Bitcoins |
| domain takedown | |
| APTs re-using patterns in domain names | |
| trademark | |
| 80 | active scanning for attacker infrastructure |
| internet-wide scanning | |
| Shodan | |
| PoisonIvy scanning | |
| MalwareHunter | |
| 81 | PassiveSSL - Luxembourg CIRCL |
| Censys | |
| FoFa | |
| CRT.sh | |
| Certificate Authority | |
| certificate reuse as attribution | |
| SSL/TLS | |
| Common Name | |
| 82 | DNC hack - cert reuse w/ German Bundestag |
| ThreatConnect | |
| Edward Snowden | |
| Threat Connect criticized for revealing poor OPSEC of APT groups | |
| 83 | APT28 reusing fields in SSL certs, probably due to automation |
| banners as attribution | |
| 84 | custom servers as attribution |
| 87 | indictment |
| APT operators may have strict playbooks | |
| 88 | PHP, Python as server-side language |
| Stuxnet, Flame similarities | |
| Flame disguised as a news site | |
| 89 | C2 panels: IP, uptime, country, campaign code |
| attackers using RDP for access | |
| attackers manage infrastructure with SSH | |
| operators using C2 to access restricted sites in censored areas | |
| server seizure | |
| lawful interception | |
| wiretap | |
| 90 | Judicial Assistance |
| RDP session recording - evidence of Chinese keyboards | |
| GDPR | |
| DSL | |
| cui bono | |
| 91 | North Korean actors operating from Chilbosan Hotel, Shanghai China |
| CloudHopper | |
| Group-IB | |
| Lazarus | |
| 92 | Sony hack |
| Pyongyang | |
| North Korean Ministry of Defense | |
| DOTA - APT1 | |
| 92 | Snake operators OPSEC fail – using VKontakte over stolen satellite links |
| operator’s social media profiles public | |
| server side code in PHP/Python, no reversing required if infrastructure is accessed | |
| Lua | |
| 94 | code comments as camouflage |
| GhostNet | |
| Dali Lama | |
| Advtravel campaign - Egypt, Israel | |
| Dev_Homa account | |
| attackers reusing dev/testing infrastructure | |
| Dev_Hima using Facebook OPSEC failure | |
| 95 | access.log |
| attackers connecting directly to their infrastructure | |
| X-Agent source code | |
| swear words in code | |
| USDOJ | |
| GRU | |
| 99 | geopolitics |
| 100 | Deputy Division Director - Ministry of State Security (MSS) |
| Jiangsu Province, China | |
| Operation Olympic Games | |
| “Confront and Conceal” - David E. Sanger | |
| US National Security Council (NSC) | |
| Barack Obama | |
| Israeli Cyber-Unit 8200 | |
| 101 | TAO |
| Snowden leaks | |
| Size of TAO > 1000 employees | |
| APT1 - 2nd Bureau of 3PLA | |
| USA, Canada, Great Britain | |
| Shadow Brokers | |
| malware license keys | |
| 102 | use of private contractors for malware development |
| Tim Maurer | |
| Five-Year Plans | |
| sanctioning | |
| Chosun Expo - front for Lab 110 of the Reconnaissance General Bureau (RGB) | |
| movie ridiculing Kim Jong Un | |
| 103 | Cellebrite, Vupen, Hacking Team, NSO |
| leaked HackingTeam emails revealed customers | |
| UAE - DarkMatter | |
| Project Raven | |
| immunity | |
| Bahamut Group | |
| Strategic Support Force | |
| Xi Jinping | |
| APT41 - China | |
| WannaCry | |
| Lazarus hacking banks for financial gain | |
| 104 | OSINT |
| Internal Permanent Court of Arbitration - The Hague | |
| Philippines complaints of China + South China Sea | |
| Malaysian plane MH-17 over Ukraine | |
| Ukraine is a hot spot for APT activity after annexation of Crimea | |
| threat intelligence | |
| India and Pakistan both claim Kashmir | |
| Five Poisons: Tibet, Taiwan, Uyghur, Falun Gong, and the democracy movement | |
| 105 | Syrian civil war |
| NATO | |
| lack of findings is a finding | |
| Thirteenth Five-Year Plan | |
| 106 | Made in China 2025 |
| artificial intelligence | |
| German Minstry of the Interior | |
| Belt and Road initiative (BRI) | |
| intellectual property | |
| Putter Panda | |
| 2nd TRB (Technical Reconnaissance Bureau) | |
| Nanjing | |
| Hidden Lynx - Symantec | |
| APT3 - hacks of Siemens and Trimble | |
| Boyusec | |
| 107 | * org chart for PLA cyber units |
| German Federal Intelligence Service (BND) | |
| Byzantine Hades | |
| 108 | French Secret Service DGSE |
| “The New Nobility” - Andrei Soldatov | |
| “The Red Web” | |
| History of CIA - Tim Weiner | |
| 109 | Mark Galeotti |
| APT28, APT29 | |
| SVR, GRU, FSB | |
| Russian Laws of Establishment | |
| 111 | Sandworm, Gamaredon, Energetic Bear, Red October |
| RUAG defense contractor | |
| 112 | AVID intelligence service |
| ICS | |
| Havex trojan | |
| air-gapped | |
| Palmetto Fusion | |
| Industroyer | |
| Crash Override | |
| BlackEnergy 3 | |
| 113 | Ukranian Security Service (SBU) |
| Ministry of Public Security (MPS) | |
| Islamic Revolutionary Guards Corps (IRGC) | |
| Ministry of Intelligence (MOIS) | |
| 114 | Unit 61580 |
| Unit 75779 | |
| Unit 61398 | |
| Strategic Support Forces (SSF) | |
| Byzantine Viking | |
| PLA Navy, Air Force, Rocket Forces | |
| Unit 61486 | |
| CrowdStrike | |
| Naikon group | |
| Guangzhou | |
| 115 | Zheng Junjie |
| 121 | telemetry |
| 122 | silver bullet |
| file scanner | |
| on-demand file scanning | |
| sending samples to the vendor | |
| 123 | reputation services |
| reputation | |
| network perimeter | |
| e-mail scanning services | |
| behavior-based products | |
| PowerShell | |
| sandbox | |
| 124 | phoning home |
| on-premise | |
| scanning issues with on-premise | |
| detection data to help tune detections | |
| spear phishing | |
| 125 | prevalence |
| cui bono | |
| regions and sectors | |
| most vendors are regional | |
| NotPetya | |
| M. E. Doc - Ukranian tas software | |
| 126 | co-occurrence |
| WannaCry | |
| enrichment | |
| Lazarus - North Korea | |
| command-line detections | |
| APTs opting into living off the land | |
| malicious mail | |
| - subjects | |
| - addresses | |
| - attachments | |
| - filenames, hashes, … | |
| - signatures | |
| VirusTotal | |
| timestamps as attribution | |
| 127 | RDP |
| 4C model | |
| intent | |
| “telemetrybution” | |
| 128 | Kaspersky Lab |
| Uzbekistan State security Service (SSS) | |
| SandCat | |
| SandCat uploaded samples to VirusTotal | |
| Military Unit 02616 | |
| 131 | countering counter-intelligence |
| physical surveillance | |
| eavesdropping | |
| WhoisGuard | |
| Domains By Proxy | |
| Vault 7 leaks | |
| 132 | Anglo-Saxon |
| MICE - Money, Ideology, Coercion, Ego | |
| cyber mercenaries | |
| HiddenLynx | |
| Peter Mattis | |
| MSS | |
| PwC | |
| APT10 | |
| APT1 - Shanghai | |
| Mandiant | |
| University of Wuhan | |
| compartmentalization | |
| Belgacom | |
| Reign | |
| RemSec | |
| 133 | HangOver, HiddenLynx - likely contractors |
| APT28 - GRU | |
| APT28 reuses C2 for long periods of time | |
| OPSEC, camouflage, plausible deniability | |
| lack of OPSEC in APT groups | |
| Cold War | |
| 134 | defectors - Iran, North Korea |
| Unit 180 - RGB | |
| Mohammad Hussein Tajik | |
| Iranian Supreme Religious Leader | |
| Ali Khamenei | |
| fief, fiefdom | |
| pardon | |
| OilRig | |
| MOIS - Ministry of Intelligence | |
| IRGC | |
| OSINT | |
| Michael Flynn | |
| US National Security Advisor | |
| “90% of intelligence is open-source” | |
| threat intelligence - monitor forums, newspapers, TV stations, websites, political statements, … | |
| 135 | information gap |
| SIGINT | |
| GRU attack of Democratic Party 2016 | |
| Putin | |
| 136 | GoldSun |
| Sakurel malware | |
| Boeing | |
| Josh Ernest | |
| Snowden ocuments | |
| 137 | wiretap |
| undersea cables | |
| IX, IXP | |
| trunk line | |
| listening post | |
| Operation Soonlist | |
| GCHQ | |
| Stellar - satellite internet | |
| Snake | |
| Gumblar | |
| keylogger | |
| 138 | 4th party collection |
| TAO | |
| Symantec | |
| Democratic Party of Kurdistan | |
| Iraqi Ministry of Foreign Affairs | |
| limitations of SIGINT | |
| HUMINT | |
| BfU - German counter-intelligence agency | |
| Hans-Georg MaMaaben | |
| Netewerk Recherche | |
| 139 | high probability of cross-pollination between related intel organizations |
| fence (criminal) | |
| many hackers only know each other online | |
| - easy to create personas | |
| 140 | hacking back |
| data at rest | |
| Byzantine Condor/Titan Rain | |
| Lockheed Martin | |
| NASA | |
| US, British Ministry of Defense | |
| 3PLA | |
| MiTM | |
| traffic injection | |
| Richard Ledgett - Deputy Director of NSA | |
| US State Department | |
| Dutch intelligence - AVID | |
| APT29 | |
| RemSec malware | |
| FSB | |
| embassy | |
| 141 | Dragonfly - Havex |
| tracking pixel | |
| patterns of life | |
| FISA - Foreign Intelligence Surveillance Act | |
| NSL - National Security Letter | |
| Sakula malware - GoldSun | |
| Google Mail | |
| Adobe Flash 0-day | |
| APT28 | |
| Lazarus | |
| 142 | Five Eyes |
| 147 | doxing |
| Ugly Gorilla | |
| Third Department - PLA | |
| master-student relationship | |
| 148 | reuse of handles |
| WHOIS data | |
| CrowdStrike | |
| Putter Panda | |
| Chen Ping | |
| Ge Xing | |
| Naikon group | |
| 149 | Threat Connect |
| Technical Reconnaissance Bureau - Kunming | |
| PII | |
| PDB paths as attribution | |
| Appin (company) | |
| passive DNS | |
| reverse WHOIS | |
| Google, Bing | |
| QQ messenger | |
| 150 | weak links, unambiguous links |
| plausibility checks, corroboration | |
| 151 | photo analysis |
| Google Maps | |
| Unit 61486, 78020 | |
| 12th Bureau - PLA | |
| top-down doxing | |
| 153 | false flag |
| 154 | Vault 7 documentation of avoiding attribution |
| MARBLE framework | |
| obfuscation functions | |
| project UMBRANGE | |
| WARBLE framework | |
| Han van Meegeren | |
| Jan Vermeer | |
| 155 | Micropsin malware |
| CloudAtlas group | |
| Quarian malware | |
| 156 | time-shifting anti-attribution |
| registering expired C2 domains | |
| MICTIC | |
| Islamic State | |
| 157 | using stolen malware, anti-attribution |
| language anti-attribution | |
| NCSC - UK | |
| Neuron, Nautilis malware | |
| 158 | Thomas Rid |
| King’s College, London | |
| compiler timestamp | |
| Ben Buchanan | |
| 159 | validity - misuse of foreign languages |
| X-Agent malware | |
| continuous development, malware | |
| development branch | |
| 160 | Rich header |
| Olympic Games | |
| Olympic Destroyer | |
| Visual Studio 6 | |
| Rich header false flag | |
| Cloud Atlas | |
| Arabic, Hindi | |
| Red October campaign | |
| weighting of evidence | |
| 161 | Analysis of Competing Hypothesis (ACH) |
| CIA | |
| HUMINT | |
| bias | |
| 166 | APT group setups |
| monolithic team | |
| 167 | malware free riders, malware purchasers |
| PowerShell Empire | |
| PoisonIvy | |
| Winnti | |
| Sakula | |
| 168 | freelance operator |
| malware developers | |
| Hacking Team | |
| NSO | |
| infrastructure quartermaster | |
| Unit 74455 | |
| 169 | infrastructure guests |
| sharing groups, super threat actors | |
| Silas Cutler | |
| Juan Andrea Guerrero-Saade | |
| Supra Threat Actor | |
| GCHQ DAREDEVIL | |
| NSA UNITEDDRAKE | |
| kill chain | |
| access teams - specialize in obtaining footholds | |
| DMZ | |
| 170 | mauraders |
| 173 | communication attribution data |
| 174 | network defense |
| information gain/information loss tradeoffs | |
| US-CERT | |
| 175 | diplomacy |
| Grizzley Steppe Report | |
| 176 | Obama |
| Xi Jinping | |
| 177 | security company reputation |
| 178 | attribution cherry-picking |
| presentation of attribution results | |
| 179 | object of attribution |
| level of attribution | |
| level of detail | |
| diversity of evidence | |
| premises and assumptions | |
| inconsistent evidence | |
| potential false flags | |
| 180 | alternative hypothesis |
| confidence level | |
| evidence | |
| 181 | reaction to attribution disclosure |
| 185 | ethics of attribution |
| neutrality | |
| rarity of disclosure of Western APT groups | |
| 187 | consequences of attribution |
| F-Secure | |
| Collin Anderson | |
| 188 | outing individuals |
| GhostNet | |
| Dali Lama | |
| 189 | possibility of mistakes |
| 192 | dynamic DNS |
| 194 | Vermeer effect |
| clustering | |
| apprentice, journeyman, master |