potential for false flag operations in the dnc hack - sans.org · in the dnc hack jake williams...
TRANSCRIPT
Potential for false flag operations
in the DNC Hack
Jake Williams
Rendition Infosec
rsec.us
@MalwareJake
• Passionate about security
• More than a decade of InfoSec experience
• Some things about me:
– Forensic Analyst
– Incident Responder
– Vulnerability Researcher
– SANS Instructor/Course Author
– Conference Addict
# whoami
(C) 2016 Rendition Infosec - Jake Williams
• Why do we care?
• Overview of the hack
• TTPs known to be used
• File metadata from exfiltrated docs
• False flag opportunities
Agenda
(C) 2016 Rendition Infosec - Jake Williams
• Suppose your organization is concerned with
politics
– Or Russia
– Or Foreign Policy
• Your leaders want you to validate the attribution
and help them understand the connections
between the DNC hack and Russia
• Leadership is reading about the Guccifer 2.0
character and is worried about lone actors
Why do we care?
(C) 2016 Rendition Infosec - Jake Williams
• 14JUN – DNC hack announced (more or less) by
Crowdstrike
• 15JUN – Guccifer 2.0 takes credit, Russia
publicly denies involvement
– “maybe someone forgot the password”
• 18JUN, 21JUN – Guccifer 2.0 releases more
docs
• 20JUN – Threatgeek posts findings from malware
analysis
• 22JUN – Guccifer 2.0 opens DMs for media
inquiries
Attack Timeline
(C) 2016 Rendition Infosec - Jake Williams
• While it’s possible that Guccifer is a Russian
puppet, he really dislikes Crowdstrike
Guccifer Really Dislikes Crowdstrike
(C) 2016 Rendition Infosec - Jake Williams
• TTPs used by the attacker
• Specific malware used
• Malware characteristics observed
• Command and control domains, IP
addresses, and other infrastructure
Attribution Considerations
(C) 2016 Rendition Infosec - Jake Williams
On Validating Attribution
(C) 2016 Rendition Infosec - Jake Williams
Observable Facts
>Other’s
Analyses
Our Diamond Model
Russia???Other actor?
Email serverIRC/Chat server
SeaDaddyPowershellX-AgentX-Tunnel
185.100.84.13458.49.58.58218.1.98.203187.33.33.80185.86.148.22745.32.129.18523.227.196.217
• Capability
– Credential theft
– Living off the land
• Infrastructure
– Multiple IP addresses and malware
– Domains not specified in Crowdstrike reporting
• Victim
– DNC email and chat servers (and certainly
others)
What do we know?
(C) 2016 Rendition Infosec - Jake Williams
• Quickly pivoted from reported IP 185.100.84.134
• Looks like a pretty low reputation CIDR…
• Thanks RecordedFuture!
Infrastructure
(C) 2016 Rendition Infosec - Jake Williams
• Quickly pivoted from reported IP 185.100.84.134
• Taking a look at domains related to this IP –
nothing from Domain Tools
Infrastructure (2)
(C) 2016 Rendition Infosec - Jake Williams
• Being from Romania isn’t necessarily bad
Infrastructure
(C) 2016 Rendition Infosec - Jake Williams
• Earlier websites seen used by SEADUKE
malware were compromised
– Renders reverse whois useless…
TTPs – Compromised Websites for C2
(C) 2016 Rendition Infosec - Jake Williams
• Looks like 58.49.58.58 is running an Apache web
server – in China
Let’s try another IP
(C) 2016 Rendition Infosec - Jake Williams
• No info in mnemonic or virustotal for 58.49.58.58
either
Let’s try another IP (2)
(C) 2016 Rendition Infosec - Jake Williams
• The attackers either have to purchase or
compromise C2
• If purchased, there may be links we can follow
– Registration email
– Where is the domain parked
• If compromised, there may be something
common in the targets that suggests a particular
capability
– Perhaps all compromised domains are running
Drupal or Wordpress
Why the focus on C2?
(C) 2016 Rendition Infosec - Jake Williams
• Malware artifacts may also say something about
the attacker
• These are easy to fake – we do it all the time at
Rendition Infosec
• Black Hills Infosec used to provide a service to
embed APT related strings in existing binaries
• Ed Skoudis has been saying for years that
connections to the Stuxnet code can’t really be
trusted – too easy to false flag
• Powershell is just text – too easy to copy “coding
styles”
Malware Artifact Challenges
(C) 2016 Rendition Infosec - Jake Williams
• ThreatGeek reported that X-Tunnel sample had
embedded OpenSSL 1.0.1e
– Heartbleed vulnerable!
• Attackers reused some C2 IP addresses
hardcoded into the DNC X-Tunnel sample from a
sample seen in the German Parliament attack in
2015
• FireEye reporting links malware in the German
Parliament attack to Russia
Malware Artifacts of Interest
(C) 2016 Rendition Infosec - Jake Williams
• Many stolen documents have been
released by Guccifer 2.0
• Some metadata seems more than a little
off…
Document Metadata
(C) 2016 Rendition Infosec - Jake Williams
• Copying Powershell from other reports
• Planting malware artifacts
• Using compromised C2 servers from multiple
countries rather than registering domains
• Planting document metadata
• Use of social media puppet with broken English
• Publicly discrediting the work of researchers
False Flag Opportunities
(C) 2016 Rendition Infosec - Jake Williams
• Sure we’ve seen the PowerShell key before
– But you can create “Russian Malware” using it too!
False Flag PowerShell
(C) 2016 Rendition Infosec - Jake Williams
• I went to register the Wordpress blog guccifer3
– Someone else had already done it…
False Flag Puppet Blogs
(C) 2016 Rendition Infosec - Jake Williams
• No time to cover full ACH, but here are some
hypothesis
– It was Russia and Guccifer 2.0 is a puppet
– It was another unknown state actor
– Guccifer 2.0 and the Russians both hacked the
DNC independently
– The docs leaked by Guccifer 2.0 are all fake
– There was never any compromise of the DNC
Some ACH Love
(C) 2016 Rendition Infosec - Jake Williams
• With the data publicly available today, we can’t
conclude with certainty
• But based on available evidence, most probably…
So Whodunnit?
(C) 2016 Rendition Infosec - Jake Williams
• Thanks for your attention
• Open the floor to questions
• Hit me up at:
– @Malwarejake
– rsec.us
(C) 2016 Rendition Infosec - Jake Williams
Obligatory Questions Slide