APT28: ¿Una ventana a las operaciones de Ciber-Espionaje … · de Ciber-Espionaje Ruso? VIII...
Transcript of APT28: ¿Una ventana a las operaciones de Ciber-Espionaje … · de Ciber-Espionaje Ruso? VIII...
![Page 1: APT28: ¿Una ventana a las operaciones de Ciber-Espionaje … · de Ciber-Espionaje Ruso? VIII JORNADAS STIC CCN-CERT Fireeye / Mandiant Ricardo Hernandez Calleja Ricardo.hernandez@fireeye.com](https://reader031.fdocuments.ec/reader031/viewer/2022022616/5ba2bdc009d3f210318cad6b/html5/thumbnails/1.jpg)
La defensa del patrimonio tecnológico
frente a los ciberataques
10 y 11 de diciembre de 2014
www.ccn-cert.cni.es © 2014 Centro Criptológico Nacional
C/Argentona 20, 28023 MADRID
APT28:
¿Una ventana a las operaciones de Ciber-Espionaje Ruso?
![Page 2: APT28: ¿Una ventana a las operaciones de Ciber-Espionaje … · de Ciber-Espionaje Ruso? VIII JORNADAS STIC CCN-CERT Fireeye / Mandiant Ricardo Hernandez Calleja Ricardo.hernandez@fireeye.com](https://reader031.fdocuments.ec/reader031/viewer/2022022616/5ba2bdc009d3f210318cad6b/html5/thumbnails/2.jpg)
VIII JORNADAS STIC CCN-CERT
www.ccn-cert.cni.es
Fireeye / Mandiant
Ricardo Hernandez Calleja
![Page 3: APT28: ¿Una ventana a las operaciones de Ciber-Espionaje … · de Ciber-Espionaje Ruso? VIII JORNADAS STIC CCN-CERT Fireeye / Mandiant Ricardo Hernandez Calleja Ricardo.hernandez@fireeye.com](https://reader031.fdocuments.ec/reader031/viewer/2022022616/5ba2bdc009d3f210318cad6b/html5/thumbnails/3.jpg)
VIII JORNADAS STIC CCN-CERT
FIREEYE MISSION
MORE ESSENTIAL THAN EVER TO THE WORLD’S ECONOMY
TECHNOLOGY INFRASTRUCTURE
COSTS OF COMPROMISE PALPABLE
THREATS TO INFRASTRUCTURE ARE REAL
WITH THE MOST ADVANCED TECHNOLOGY, THREAT INTELLIGENCE AND THE
WORLD’S MOST EXPERIENCED RESEARCHERS AND INCIDENT RESPONDERS
WE ARE COMMITTED TO STOPPING CYBER THREATS
CYBER SECURITY HAS NEVER BEEN MORE
CRITICAL
![Page 4: APT28: ¿Una ventana a las operaciones de Ciber-Espionaje … · de Ciber-Espionaje Ruso? VIII JORNADAS STIC CCN-CERT Fireeye / Mandiant Ricardo Hernandez Calleja Ricardo.hernandez@fireeye.com](https://reader031.fdocuments.ec/reader031/viewer/2022022616/5ba2bdc009d3f210318cad6b/html5/thumbnails/4.jpg)
VIII JORNADAS STIC CCN-CERT
4
2. Objetivos de APT28 coinciden con los Intereses de Rusia
Índice
3. Características del Malware apuntan a programadores
rusos
4. Conclusiones
1. Claves encontradas en APT28
www.ccn-cert.cni.es
![Page 5: APT28: ¿Una ventana a las operaciones de Ciber-Espionaje … · de Ciber-Espionaje Ruso? VIII JORNADAS STIC CCN-CERT Fireeye / Mandiant Ricardo Hernandez Calleja Ricardo.hernandez@fireeye.com](https://reader031.fdocuments.ec/reader031/viewer/2022022616/5ba2bdc009d3f210318cad6b/html5/thumbnails/5.jpg)
VIII JORNADAS STIC CCN-CERT
5
APT28
Claves Encontradas
www.ccn-cert.cni.es
![Page 6: APT28: ¿Una ventana a las operaciones de Ciber-Espionaje … · de Ciber-Espionaje Ruso? VIII JORNADAS STIC CCN-CERT Fireeye / Mandiant Ricardo Hernandez Calleja Ricardo.hernandez@fireeye.com](https://reader031.fdocuments.ec/reader031/viewer/2022022616/5ba2bdc009d3f210318cad6b/html5/thumbnails/6.jpg)
VIII JORNADAS STIC CCN-CERT
APT28 Key Findings
APT28 targets insider information
related to governments,
militaries, and security
organizations that would likely
benefit the Russian government.
APT28 primarily targets Georgia,
Eastern Europe, and
European security organizations
using skillfully engineered
malware which was created
during normal
working hours in Moscow.
![Page 7: APT28: ¿Una ventana a las operaciones de Ciber-Espionaje … · de Ciber-Espionaje Ruso? VIII JORNADAS STIC CCN-CERT Fireeye / Mandiant Ricardo Hernandez Calleja Ricardo.hernandez@fireeye.com](https://reader031.fdocuments.ec/reader031/viewer/2022022616/5ba2bdc009d3f210318cad6b/html5/thumbnails/7.jpg)
VIII JORNADAS STIC CCN-CERT
APT28 Primary Targets
![Page 8: APT28: ¿Una ventana a las operaciones de Ciber-Espionaje … · de Ciber-Espionaje Ruso? VIII JORNADAS STIC CCN-CERT Fireeye / Mandiant Ricardo Hernandez Calleja Ricardo.hernandez@fireeye.com](https://reader031.fdocuments.ec/reader031/viewer/2022022616/5ba2bdc009d3f210318cad6b/html5/thumbnails/8.jpg)
VIII JORNADAS STIC CCN-CERT
APT28 Malware Overview
![Page 9: APT28: ¿Una ventana a las operaciones de Ciber-Espionaje … · de Ciber-Espionaje Ruso? VIII JORNADAS STIC CCN-CERT Fireeye / Mandiant Ricardo Hernandez Calleja Ricardo.hernandez@fireeye.com](https://reader031.fdocuments.ec/reader031/viewer/2022022616/5ba2bdc009d3f210318cad6b/html5/thumbnails/9.jpg)
VIII JORNADAS STIC CCN-CERT
APT28 Malware Created in Moscow?
![Page 10: APT28: ¿Una ventana a las operaciones de Ciber-Espionaje … · de Ciber-Espionaje Ruso? VIII JORNADAS STIC CCN-CERT Fireeye / Mandiant Ricardo Hernandez Calleja Ricardo.hernandez@fireeye.com](https://reader031.fdocuments.ec/reader031/viewer/2022022616/5ba2bdc009d3f210318cad6b/html5/thumbnails/10.jpg)
VIII JORNADAS STIC CCN-CERT
10
Coincidentes con
intereses de Rusia
Objetivos de APT28
www.ccn-cert.cni.es
![Page 11: APT28: ¿Una ventana a las operaciones de Ciber-Espionaje … · de Ciber-Espionaje Ruso? VIII JORNADAS STIC CCN-CERT Fireeye / Mandiant Ricardo Hernandez Calleja Ricardo.hernandez@fireeye.com](https://reader031.fdocuments.ec/reader031/viewer/2022022616/5ba2bdc009d3f210318cad6b/html5/thumbnails/11.jpg)
VIII JORNADAS STIC CCN-CERT
Targeting: Caucasus Region
![Page 12: APT28: ¿Una ventana a las operaciones de Ciber-Espionaje … · de Ciber-Espionaje Ruso? VIII JORNADAS STIC CCN-CERT Fireeye / Mandiant Ricardo Hernandez Calleja Ricardo.hernandez@fireeye.com](https://reader031.fdocuments.ec/reader031/viewer/2022022616/5ba2bdc009d3f210318cad6b/html5/thumbnails/12.jpg)
VIII JORNADAS STIC CCN-CERT
Targeting: Georgian Ministry of Internal Affairs
![Page 13: APT28: ¿Una ventana a las operaciones de Ciber-Espionaje … · de Ciber-Espionaje Ruso? VIII JORNADAS STIC CCN-CERT Fireeye / Mandiant Ricardo Hernandez Calleja Ricardo.hernandez@fireeye.com](https://reader031.fdocuments.ec/reader031/viewer/2022022616/5ba2bdc009d3f210318cad6b/html5/thumbnails/13.jpg)
VIII JORNADAS STIC CCN-CERT
Targeting: Caucasus Region Militaries and Media
• Georgian military
• Armenian military
• Kavkaz Center
![Page 14: APT28: ¿Una ventana a las operaciones de Ciber-Espionaje … · de Ciber-Espionaje Ruso? VIII JORNADAS STIC CCN-CERT Fireeye / Mandiant Ricardo Hernandez Calleja Ricardo.hernandez@fireeye.com](https://reader031.fdocuments.ec/reader031/viewer/2022022616/5ba2bdc009d3f210318cad6b/html5/thumbnails/14.jpg)
VIII JORNADAS STIC CCN-CERT
Targeting: Eastern Europe
• Ministry of Foreign Affairs infected
• Polish government targeted with CORESHELL
• MH17 lure
• Baltic Host exercises
![Page 15: APT28: ¿Una ventana a las operaciones de Ciber-Espionaje … · de Ciber-Espionaje Ruso? VIII JORNADAS STIC CCN-CERT Fireeye / Mandiant Ricardo Hernandez Calleja Ricardo.hernandez@fireeye.com](https://reader031.fdocuments.ec/reader031/viewer/2022022616/5ba2bdc009d3f210318cad6b/html5/thumbnails/15.jpg)
VIII JORNADAS STIC CCN-CERT
Targeting: Eastern Europe
![Page 16: APT28: ¿Una ventana a las operaciones de Ciber-Espionaje … · de Ciber-Espionaje Ruso? VIII JORNADAS STIC CCN-CERT Fireeye / Mandiant Ricardo Hernandez Calleja Ricardo.hernandez@fireeye.com](https://reader031.fdocuments.ec/reader031/viewer/2022022616/5ba2bdc009d3f210318cad6b/html5/thumbnails/16.jpg)
VIII JORNADAS STIC CCN-CERT
Targeting: European Security Organizations
• NATO
• OSCE
![Page 17: APT28: ¿Una ventana a las operaciones de Ciber-Espionaje … · de Ciber-Espionaje Ruso? VIII JORNADAS STIC CCN-CERT Fireeye / Mandiant Ricardo Hernandez Calleja Ricardo.hernandez@fireeye.com](https://reader031.fdocuments.ec/reader031/viewer/2022022616/5ba2bdc009d3f210318cad6b/html5/thumbnails/17.jpg)
VIII JORNADAS STIC CCN-CERT
Targeting: Defense Attaches
• UK
• Turkey
• China
• Japan
• South Korea
![Page 18: APT28: ¿Una ventana a las operaciones de Ciber-Espionaje … · de Ciber-Espionaje Ruso? VIII JORNADAS STIC CCN-CERT Fireeye / Mandiant Ricardo Hernandez Calleja Ricardo.hernandez@fireeye.com](https://reader031.fdocuments.ec/reader031/viewer/2022022616/5ba2bdc009d3f210318cad6b/html5/thumbnails/18.jpg)
VIII JORNADAS STIC CCN-CERT
Targeting: Defense
![Page 19: APT28: ¿Una ventana a las operaciones de Ciber-Espionaje … · de Ciber-Espionaje Ruso? VIII JORNADAS STIC CCN-CERT Fireeye / Mandiant Ricardo Hernandez Calleja Ricardo.hernandez@fireeye.com](https://reader031.fdocuments.ec/reader031/viewer/2022022616/5ba2bdc009d3f210318cad6b/html5/thumbnails/19.jpg)
VIII JORNADAS STIC CCN-CERT
Targeting: Wide-ranging Interests
![Page 20: APT28: ¿Una ventana a las operaciones de Ciber-Espionaje … · de Ciber-Espionaje Ruso? VIII JORNADAS STIC CCN-CERT Fireeye / Mandiant Ricardo Hernandez Calleja Ricardo.hernandez@fireeye.com](https://reader031.fdocuments.ec/reader031/viewer/2022022616/5ba2bdc009d3f210318cad6b/html5/thumbnails/20.jpg)
VIII JORNADAS STIC CCN-CERT
Lures
![Page 21: APT28: ¿Una ventana a las operaciones de Ciber-Espionaje … · de Ciber-Espionaje Ruso? VIII JORNADAS STIC CCN-CERT Fireeye / Mandiant Ricardo Hernandez Calleja Ricardo.hernandez@fireeye.com](https://reader031.fdocuments.ec/reader031/viewer/2022022616/5ba2bdc009d3f210318cad6b/html5/thumbnails/21.jpg)
VIII JORNADAS STIC CCN-CERT
Lures
![Page 22: APT28: ¿Una ventana a las operaciones de Ciber-Espionaje … · de Ciber-Espionaje Ruso? VIII JORNADAS STIC CCN-CERT Fireeye / Mandiant Ricardo Hernandez Calleja Ricardo.hernandez@fireeye.com](https://reader031.fdocuments.ec/reader031/viewer/2022022616/5ba2bdc009d3f210318cad6b/html5/thumbnails/22.jpg)
VIII JORNADAS STIC CCN-CERT
22
Malware apunta a
programadores Rusos
Características
www.ccn-cert.cni.es
Actualizado desde 2007
![Page 23: APT28: ¿Una ventana a las operaciones de Ciber-Espionaje … · de Ciber-Espionaje Ruso? VIII JORNADAS STIC CCN-CERT Fireeye / Mandiant Ricardo Hernandez Calleja Ricardo.hernandez@fireeye.com](https://reader031.fdocuments.ec/reader031/viewer/2022022616/5ba2bdc009d3f210318cad6b/html5/thumbnails/23.jpg)
VIII JORNADAS STIC CCN-CERT
Malware
![Page 24: APT28: ¿Una ventana a las operaciones de Ciber-Espionaje … · de Ciber-Espionaje Ruso? VIII JORNADAS STIC CCN-CERT Fireeye / Mandiant Ricardo Hernandez Calleja Ricardo.hernandez@fireeye.com](https://reader031.fdocuments.ec/reader031/viewer/2022022616/5ba2bdc009d3f210318cad6b/html5/thumbnails/24.jpg)
VIII JORNADAS STIC CCN-CERT
Malware
![Page 25: APT28: ¿Una ventana a las operaciones de Ciber-Espionaje … · de Ciber-Espionaje Ruso? VIII JORNADAS STIC CCN-CERT Fireeye / Mandiant Ricardo Hernandez Calleja Ricardo.hernandez@fireeye.com](https://reader031.fdocuments.ec/reader031/viewer/2022022616/5ba2bdc009d3f210318cad6b/html5/thumbnails/25.jpg)
VIII JORNADAS STIC CCN-CERT
Malware: Ecosystem
![Page 26: APT28: ¿Una ventana a las operaciones de Ciber-Espionaje … · de Ciber-Espionaje Ruso? VIII JORNADAS STIC CCN-CERT Fireeye / Mandiant Ricardo Hernandez Calleja Ricardo.hernandez@fireeye.com](https://reader031.fdocuments.ec/reader031/viewer/2022022616/5ba2bdc009d3f210318cad6b/html5/thumbnails/26.jpg)
VIII JORNADAS STIC CCN-CERT
Malware: Counter-analysis
• Unused machine instructions
• Runtime checks
• Obfuscated strings
• RSA encryption of stolen data
![Page 27: APT28: ¿Una ventana a las operaciones de Ciber-Espionaje … · de Ciber-Espionaje Ruso? VIII JORNADAS STIC CCN-CERT Fireeye / Mandiant Ricardo Hernandez Calleja Ricardo.hernandez@fireeye.com](https://reader031.fdocuments.ec/reader031/viewer/2022022616/5ba2bdc009d3f210318cad6b/html5/thumbnails/27.jpg)
VIII JORNADAS STIC CCN-CERT
Malware: Updated Since 2007
• New network traffic formats, export functions, filenames
• Removed Russian language resources
![Page 28: APT28: ¿Una ventana a las operaciones de Ciber-Espionaje … · de Ciber-Espionaje Ruso? VIII JORNADAS STIC CCN-CERT Fireeye / Mandiant Ricardo Hernandez Calleja Ricardo.hernandez@fireeye.com](https://reader031.fdocuments.ec/reader031/viewer/2022022616/5ba2bdc009d3f210318cad6b/html5/thumbnails/28.jpg)
VIII JORNADAS STIC CCN-CERT
Malware Variants
• CHOPSTICK backdoor
• HTTP variant
• SMTP variant
• Removable drive variant
• EVILTOSS backdoor
• x86 HTTP variant
• x64 HTTP variant
• x86 SMTP variant
![Page 29: APT28: ¿Una ventana a las operaciones de Ciber-Espionaje … · de Ciber-Espionaje Ruso? VIII JORNADAS STIC CCN-CERT Fireeye / Mandiant Ricardo Hernandez Calleja Ricardo.hernandez@fireeye.com](https://reader031.fdocuments.ec/reader031/viewer/2022022616/5ba2bdc009d3f210318cad6b/html5/thumbnails/29.jpg)
VIII JORNADAS STIC CCN-CERT
Russian language in the code
• Locale and language identifiers associated with APT28 malware
![Page 30: APT28: ¿Una ventana a las operaciones de Ciber-Espionaje … · de Ciber-Espionaje Ruso? VIII JORNADAS STIC CCN-CERT Fireeye / Mandiant Ricardo Hernandez Calleja Ricardo.hernandez@fireeye.com](https://reader031.fdocuments.ec/reader031/viewer/2022022616/5ba2bdc009d3f210318cad6b/html5/thumbnails/30.jpg)
VIII JORNADAS STIC CCN-CERT
When were developers working?
![Page 31: APT28: ¿Una ventana a las operaciones de Ciber-Espionaje … · de Ciber-Espionaje Ruso? VIII JORNADAS STIC CCN-CERT Fireeye / Mandiant Ricardo Hernandez Calleja Ricardo.hernandez@fireeye.com](https://reader031.fdocuments.ec/reader031/viewer/2022022616/5ba2bdc009d3f210318cad6b/html5/thumbnails/31.jpg)
VIII JORNADAS STIC CCN-CERT
31
Conclusión
www.ccn-cert.cni.es
![Page 32: APT28: ¿Una ventana a las operaciones de Ciber-Espionaje … · de Ciber-Espionaje Ruso? VIII JORNADAS STIC CCN-CERT Fireeye / Mandiant Ricardo Hernandez Calleja Ricardo.hernandez@fireeye.com](https://reader031.fdocuments.ec/reader031/viewer/2022022616/5ba2bdc009d3f210318cad6b/html5/thumbnails/32.jpg)
VIII JORNADAS STIC CCN-CERT
![Page 33: APT28: ¿Una ventana a las operaciones de Ciber-Espionaje … · de Ciber-Espionaje Ruso? VIII JORNADAS STIC CCN-CERT Fireeye / Mandiant Ricardo Hernandez Calleja Ricardo.hernandez@fireeye.com](https://reader031.fdocuments.ec/reader031/viewer/2022022616/5ba2bdc009d3f210318cad6b/html5/thumbnails/33.jpg)
VIII JORNADAS STIC CCN-CERT
![Page 34: APT28: ¿Una ventana a las operaciones de Ciber-Espionaje … · de Ciber-Espionaje Ruso? VIII JORNADAS STIC CCN-CERT Fireeye / Mandiant Ricardo Hernandez Calleja Ricardo.hernandez@fireeye.com](https://reader031.fdocuments.ec/reader031/viewer/2022022616/5ba2bdc009d3f210318cad6b/html5/thumbnails/34.jpg)
VIII JORNADAS STIC CCN-CERT
Questions?
![Page 35: APT28: ¿Una ventana a las operaciones de Ciber-Espionaje … · de Ciber-Espionaje Ruso? VIII JORNADAS STIC CCN-CERT Fireeye / Mandiant Ricardo Hernandez Calleja Ricardo.hernandez@fireeye.com](https://reader031.fdocuments.ec/reader031/viewer/2022022616/5ba2bdc009d3f210318cad6b/html5/thumbnails/35.jpg)
Síguenos en Linked in
E-Mails
Websites
www.ccn.cni.es
www.ccn-cert.cni.es
www.oc.ccn.cni.es