Professional Documents
Culture Documents
Cyber
Espionage
Increased Loss of
View Attacks
Adversary
Improvements
2
Cyber Espionage
Emergence of New Players
3
APT32: Vietnam-based Theft, February 2019
• Original Emergence – ~2014
• Increased presence in February 2019
• Targets: automotive manufactures, primarily in SE Asia and the U.S.
• Motivation: Theft of intellectual property and/or “corporate
operational information”
• Assessed activity in support of Vietnamese government’s stated domestic
vehicle and auto part manufacturing goals
• VinFast, first domestic manufacturer, released its flagship model in Sept. 2019
• Techniques: spear phishing an re-directs to compromised websites
Russian Reconnaissance: Xenotime,
March 2019
• Xenotime interests remain varied from the U.S. to SE Asia, electric
grid to ONG operations (March 2019)
• Analysis connects Xenotime to the Trisis compromise in Saudi Arabia in
September 2017
• Probing behavior and network enumeration attempts against U.S. utilities in
February 2019
• Significantly: “Dragos did not observe any of these attack attempts
result in a successful intrusion”
"Xenotime remains the most dangerous
• Multi-sector interest – disturbing cyberthreat in the world, with the capability
• Dragos responds to another intrusion and intent to kill people…“
Sergio Caltagirone, VP Threat Intelligence
• April 2019 Dragos
Nuclear Aspirations: Lazarus APT, Oct. 2019
• Dtrack – remote access tool (RAT) located within Kudankulam Nuclear
Power Plant (KNPP) IT systems
• Source code included hard-coded credentials to KNPP, indicating a targeted
attack
• Contains methods to collect browser history, passwords, host IPs, running
processes, and all files on disk volumes
• North Korean-based cyber actors attempt to access information
about India’s nuclear fuel yields at KNPP
• India’s civilian and military programs are closely intertwined
Turla Masquerades, Cyber False Flags
2018-2019
Supply Chain Ecosystem
Targeting Trusted Partners
8
Ransomware Norsk Hydro, March 2019
• 19 March 2019
• Intelligent Infection
• Malicious attachment mirrored
legitimate conversations with
customers
• Cyber Insurance
• Present, but insignificant
• As of October, only 6% of losses
had been received
China’s Access Campaign, July-August 2019
• 17 U.S. utilities are targeted by a malicious campaign
• Emails claimed to be from National Council of Examiners for
Engineering and Surveying (NCEES), a South Carolina-based nonprofit
• Second Set - Impersonates the Global Energy Certification (GEC)
• Embedded remote access trojan (RAT)
• Capable of a deleting files, screenshots, rebooting a machine, and deleting
itself from an infected network, etc.
• Low confidence attribution to China-based APT 10
• Targeted Japanese corporations in 2018
Example Email
China Targets Aviation, January 2019
• Initial Infection: VPN compromise via third parties to access Airbus’
networks
• Attackers sought technical documentation regarding the certification
process for components of the aircraft
• Activity also indicated an interest in Airbus-designed, military planes
Russian Reconnaissance: Turla
• Since 2014 - Turla (aka Snake) has been hacking into victims'
Microsoft Exchange servers
• Installing LightNeuron backdoor
• LightNeuron backdoor for Exchange:
• Allows Turla attackers to read and modify email messages, create and send
their own messages, and block messages to users at the victim organization
Operational Improvements
Maximizing Adversary Investment
14
Iranian VPN Vuln Weaponization, August 2019
• Iranian-based hackers targeted a variety of VPN users, including IT,
Telecommunication, Oil and Gas, Aviation, Government, and Security
companies
• Exploited not 0Days, but baby vulns
• Some as young as 1 day old
• Weaponized Vulns include:
• Pulse Secure "Connect" VPN (CVE-2019-11510);
• Fortinet FortiOS VPN (CVE-2018-13379);
• Palo Alto Networks "Global Protect" VPN (CVE-2019-1579); and
• Citrix "ADC" VPNs (CVE-2019-19781).
Weaponization, August 2019 STSRCheck
Self-developed
databases and open
ports mapping tool
Tool to scan
predefined
ports for an IP
address Port.exe - Self-developed
Tool to scan backdoor malware
predefined POWSSHNET for RDP-over-SSH
ports for an
Iranian VPN Vuln
tunneling
IP address.
Iranian
tools
20
Brief History of Loss of View Attacks
2015,
Ukraine 2016,
• Moxa Serial- Lithuania
to-Ethernet • Widespread
converters DDoS against
2019, U.S.
disrupted unspecified • Wind farm
• HMI lockout targets visibility loss
• Post-event Analysis –
• Vendor review of firewall logs identified that the
reboots were instigated by an external entity
exploiting a vulnerability
?
Sarah Freeman
Idaho National Laboratory
Cybercore Integration Center
Sarah.Freeman@inl.gov
Reference Slides
SANS ICS Cyber Security Summit
2-3 March 2020
29
Dustman Malware - dustman.exe
Indicators of Compromise
Name dustman.exe
MD5 Hash 8AFA8A59EEBF43EF223BE52E08FCDC67
SHA-1 Hash E3AE32EBE8465C7DF1225A51234F13E8A44969CC
SHA-256 Hash F07B0C79A8C88A5760847226AF277CF34AB5508394A
58820DB4DB5A8D0340FC7
Size 264,704 (bytes)
Type 64-bit EXE
Compilation Date Sun Dec 29 08:57:19 2019 (GMT+3)
30
Dustman Malware - elrawdsk.sys
Indicators of Compromise
Name elrawdsk.sys
MD5 Hash 993E9CB95301126DEBDEA7DD66B9E121
SHA-1 Hash A7133C316C534D1331C801BBCD3F4C62141013A1
SHA-256 Hash 36A4E35ABF2217887E97041E3E0B17483AA4D2C1AEE
6FEADD48EF448BF1B9E6C
Size 24,576 (bytes)
Type 64-bit EXE
Compilation Date Sun Oct 14 10:43:19 2012(GMT+3)
31
Dustman Malware - assistant.sys
Indicators of Compromise
Name assistant.sys
MD5 Hash EAEA9CCB40C82AF8F3867CD0F4DD5E9D
SHA-1 Hash 7C1B25518DEE1E30B5A6EAA1EA8E4A3780C24D0C
SHA-256 Hash CF3A7D4285D65BF8688215407BCE1B51D7C6B22497
F09021F0FCE31CBEB78986
Size 68,288 (bytes)
Type 64-bit EXE
Compilation Date Sat May 31 05:18:53 2008 (GMT+3)
32
Dustman Malware - agent.exe
Indicators of Compromise
Name agent.exe
MD5 Hash F5F8160FE8468A77B6A495155C3DACEA
SHA-1 Hash 20D61C337653392EA472352931820DC60C37B2BC
SHA-256 Hash 44100C73C6E2529C591A10CD3668691D92DC024115
2EC82A72C6E63DA299D3A2
Size 116,224 (bytes)
Type 64-bit EXE
Compilation Date Sun Dec 29 08:56:27 2019 (GMT+3)
33