SNOWGLOBE: From Discovery to Attribution

Transcription

1 Communications Security Centre de la sécurité SNOWGLOBE: From Discovery to Attribution CSECCNT/Cyber Cl SIGDEV 2011 Cyber Thread Préserver la sécurité du Canada par la supériorité de l'information vvdi IclQcl UNCLASSIFIED 1

2 l + l Communications Security Centre de la sécurité OVERVIEW Préserver la sécurité du Canada par la supériorité de l'information UNCLASSIFIED / n 11*1 Canada 2

3 1 * 1 Communications Security Centre de la sécurité Overview Discovery Development Victimology Attribution SNOWGLOBE. Questions and Comments Préserver la sécurité du Canada oar la supériorité de l'information UNCLASSIFIED Canada

4 l + l Communications Security Centre de la sécurité DISCOVERY I Discovery Development Victimology Attribution SNOWGLOBE Questions Préserver la sécurité du Canada par la supériorité de l'information UNCLASSIFIED Canada

5 Overall Classification: TOP SECRET II COMINTII REL TO CAN, AUS, GBR, NZL, USA I ^ I Communications Security Centre de la sécurité Discovery Discovered in November 2009 Existing CNE Access WARRIORPRIDE as a sensor - REPLICANTFARM for anomaly detection XML info from implant Signature-based detection of anomalous activity and known techniques Noticed: Command-line to create password protected RAR - Always the same password Retrieved files associated with activity - Identified unknown malware through reverse engineering Collecting from specific, targeted accounts "Felt like" a Fl-collecting tool Pointed to first discovered LP Provided intial comms analysis to allow signature deployment in passive collection Préserver la sécurité du Canadapar la supériorité de l'informatioi v d l IdQcl TOP SECRET // COMINT // REL TO CAN^AUS, GBR, NZL, L

6 ^ Communications Security Centre de la sécurité DEVELOPMENT Discovery Development Victimology Attribution SNOWGLOBE Questions Préserver la sécurité du Canada par la supériorité de l'information UNCLASSIFIED 6 Canada

7 Overall Classification: TOP SECRET II COMINTII REL TO CAN, AUS, GBR, NZL, USA I ^ I Communications Security Centre de la sécurité Implant SNOWBALLS - Found and identified wmimgmt.exe and wmimgmt.dll (later called the SNOWBALL implant). - Creates a service -> loads wmimgmt.exe -> injects wmimgmt.dll into IE. - Later upgraded SNOWBALL to SNOWBALL 2 Very similar beaconing. SNOWMAN - More sophisticated implant, discovered mid Less is known about SNOWMAN, but efforts against it continue. Préserver la sécurité du Canadapar la supériorité de I'informatioi v d l IdQcl TOP SECRET // COMINT // REL TO CAN,LAUS, GBR, NZL, L

8 l + l Communications Security Establishment Canada Centre de la sécurité des télécommunications Canada SNOWBALL Beacons Content crc= 491ffa 2e746f f6fbe flag qkrnp2arnaqyhdl7ge99nzry qjrnpn9lb6346kdp%2fiw44 6rlKHkgpWjupDerZrnyg5%2 FX7oWH3bfArnYvClraLupS M%2BqGeuP%2BV4eDk%2 F4S%2Fi7rnYzLuQr4fe5520 gcwyrjiu2iz6x06uwqbbjou Z%2B9KlhNHAv5algd%2B plcw94n7o2fiyulfh%2frml Y3Csdy Oi5CrnuYrri80YXz7 oknlqbagzqqlkqfoiltqn 7rngdW%2FxYGBwpP2j6 %2BUu9Ctg8jGoseeh9% 2BY4sqansyziKqJn%2FO b3c6ylbehp5dcs4aqjyvn %2BL6n9dbuxOfKlo2NqN uc7rjnutmbvywihyz61% 2FDYgO%2FYhICZ%2F% 2BzS58Get4W%2Bwb3N 84Scw4L4hraE2LrnM%2F MiASOne3uzE6NruOYfo3v TRivSC40T8l6ue953Xr4ql gjd9ldzf7mtotuxbhupe99 K9IfX2oL70qe4ldPgxJWN wrhcjouqlqtk96pfvyyyrri 4rn9IrnD2Zj4yqvRlo%2Blh dkqizqs47q%2fnnd3wy 7r3PLIkOeV a 32-byte checksum beacon size in bytes Meaning/decrypt Description field, Values can be: flag, segment, len Login/Domain (owner): SYSTEM/AUTORITE NT (user) Computer name: EXPORT Organization (country): (France) OS version (SP): 5.1 (Service Pack 3) Default browser: iexplore.exe IE version: Mozilla/4.0 (compatible; MSIE 6,0; Win32) Timeout: 360G(nnin)480Ci(max) First launch: 07\30\ :29:37 Last launch : 11\20\20G9 10:32:42 Mode: Service Rights: Admin UAC: N/A ID: User-Agent: Mozilla/4.0 (compatible; MSI 6.0; Windows NT 5.1;.NET CLR ;.NET CLR ) Préserver la sécurité du Canadapar la supériorité de l'informatioi TOP SECRET // COMINT /n ii*i Canada TO CANßAUS, GBR, NZL, L

9 l + l Communications Security Establishment Canada Centre de la sécurité des télécommunications Canada Passive Collection EONBLUE - Global Access capability deployed across collection programs, including SPECIALSOURCE and CANDLEGLOW (FORNSAT). - Provides passive cyber-threat detection. - Allowed us to find additional infrastructure by using signatures for known SNOWGLOBE beacons Traditional - As always, a huge asset - With passive access, we were able to see an operator log in to an LP Single-token authentication + weak hash = breakthrough. Seeing the operator log in provided enough to get into the LPs for ourselves. Préserver la sécurité du Canadapar la supériorité de I'informatioi v d l IdUcl TOP SECRET // COMINT // REL TO CAN,1AUS, GBR, NZL, L

10 l + l Communications Security Establishment Canada Centre de la sécurité des télécommunications Canada Infrastructure Most infrastructure hosted in FVEY nations US, Canada, UK, Czech Republic, Poland, Norway Two types of infrastructure: - Parasitic outbase.php or register.php LP nested in a directory under root domain Unsure if this infrastructure is acquired via exploitation, some sort of special-source access, or some combination of the two This type seems to be found primarily, but not exclusively, on French-language sites - Free hosting outbase.php or register.php LP directly under root Préserver la sécurité du Canadapar la supériorité de I'informatioi v d l IdUcl TOP SECRET // COMINT // REL TO CAN,1AUS, GBR, NZL, L

11 l + l Communications Security Establishment Canada Centre de la sécurité des télécommunications Canada Infrastructure Most infrastructure hosted in FVEY nations US, Canada, UK, Czech Republic, Poland, Norway Two types of infrastructure: - Parasitic outbase.php or register.php LP nested in a directory under root domain Unsure if this infrastructure is acquired via exploitation, some sort of special-source access, or some combination of the two This type seems to be found primarily, but not exclusively, on French-language sites - Free hosting outbase.php or register.php LP directly under root Préserver la sécurité du Canadapar la supériorité de I'informatioi v d l IdUcl TOP SECRET // COMINT // REL TO CAN,1AUS, GBR, NZL, L

12 l + l Communications Security Establishment Canada Centre de la sécurité des télécommunications Canada Infrastructure: C2 / H li*i Préserver la a sécurité du canadapar Canadapar la supériorité de l'inrormatioi l'informatioi v d l IdQcl TOP SECRET // COMINT // REL TO CANJAUS, GBR, NZL, L

13 l + l Communications Security Centre de la sécurité Infrastructure: C2 pvaacpjiit! IH Repository 1.3,1 mfjc! pdi : j. i ff^'j.f x&f mhi F-- wfys ill.fa^ is* bhxja b} Omtif rj> hr.11 ntnu...-. I HHMNPI MP vm FrM La fi J. & Kc<) I tw,11 I H Ésrtù ry "TÉ u.. SfAHHaWf id. [ + 1 Till I W Ht iuh ij I C*My <>» KïM«l( 3W-4K4 - - I. -[ aeie/et/a* - ff.njn I- - iki itdmwu.pk /C /U - u J--Ì- ill l'bt-bd_iu.t'««l Lïk t 1 yi>jr par La 1 -d-l la ni-rmur rwaiogi. _, ptru La md 1 Ç*-> 23f4 butani C>» t-l g «TEHP^aLL pde I * I I 3IHIB/M/» " OT AT :CTf HAP. 3. W CToprrL-pht lai IfUrJWI JU-cwd«Haihal lffi Jbiiq 7IJG3 5tuTmr* nthiw Tnu EAE -7 fur twlp Enludtlaa copf Cuuut TUif OM-tMitj af C \ TUil aanth.tfl of C'Y r.fc-«aivd \AftaLn.i«-fc w «.-tw3-r\ pdf Lb jom3 Sùr.c.3 rrfib'ijtt l lfaarr«\ AEah L.i*mi»V air TOP SECRET II COMINT II REL TO CAN, AUS, GBR, NZL, USA / H 11*1 Préserver la a sécurité du canadapar Canadapar la supériorité de rinrormatioi l'informatioi v d l IdQcl TOP SECRET // COMINT // REL TO CANJAUS, GBR, NZL, L

14 I ^ I Communications Security y Centre de la sécurité VICTIMOLOGY IDiscovery Development Victimology Attribution SNOWGLOBE Questions r i n r l o Préserver la sécurité du Canada par la supériorité de l'information VyCLi ìfxkafx. UNCLASSIFIED 14

15 j*. Communications Security Centre de la sécurité Victimology: Iran Iranian MFA Iran University of Science and Technology # Atomic Energy Organization of Iran Data Communications of Iran Iranian Research Organization for Science Technology, Imam Hussein University Malek-E-Ashtar University Préserver la sécurité du Canadapar la supériorité de I'informatioi v d l I d Q c l TOP SECRET // COMINT // REL TO CAN^US, GBR, NZL, L

16 1 * 1 Communications Security Centre de la sécurité Victimology: Global Five Eyes - Possible targeting of a French-language Canadian media organization Europe - Greece Possibly associated with European Financial Association - France - Norway - Spain Africa - Ivory Coast - Algeria Canada Préserver la sécurité du Canadapar la supériorité de l'informatioi. ji H COMINT h REL T 0 CAN.1AUS, GBR, NZL, L

17 l + l Communications Security Establishment Canada Centre de la sécurité des télécommunications Canada ATTRIBUTION Discovery Development Victimology Attribution SNOWGLOBE Questions Préserver la sécurité du Canada par la supériorité de l'information UNCLASSIFIED 17

18 Overall Classification: TOP SECRET II COMINTII REL TO CAN, AUS, GBR, NZL, USA j*. Communications Security Centre de la sécurité ntrass.exe - DLL Loader uploaded to a victim as part of tasking seen in collection - Internal Name: Babar - Developer username: titi Babar is a popular French children's television show Titi is a French diminutive for Thiery, or a colloquial term for a small person Préserver la sécurité du Canadapar la supériorité de I'informatioi v d l IdQcl TOP SECRET // COMINT // REL TO CAN,LAUS, GBR, NZL, L

19 Overall Classification: TOP SECRET II COMINTII REL TO CAN, AUS, GBR, NZL, USA I ^ I Communications Security Centre de la sécurité Attribution: Language ko used instead of kb - a quirk of the French technical community English used throughout C2 interface, BUT phrasing and word choice are not typical of a native English speaker - An attempt at obfuscation? Locale option of artifact within spear-phishing attack set to "fr FR" _ Préserver la sécurité du Canadapar la supériorité de I'informatioi v d l IdQcl TOP SECRET // COMINT // REL TO CAN,LAUS, GBR, NZL, L

20 1*1 Overall Classification: TOP SECRET II COMINTII REL TO CAN, AUS, GBR, NZL, USA Communications Security Centre de la sécurité Attribution: Intelligence Priorities Iranian science and technology - Notably, the Atomic Energy Organization of Iran - Nuclear research European supranational organizations - European Financial Association Former French colonies - Algeria, Ivory Coast French-speaking organizations/areas - French-language media organization Doesn't fit cybercrime profile Préserver la sécurité du Canadapar la supériorité de l'informatioi v d l IdQcl TOP SECRET // COMINT // REL TO CAN^AUS, GBR, NZL, L

21 Communications Security y Centre de la sécurité SNOWGLOBE. Discovery Development Victimology Attribution SNOWGLOBE Questions Préserver la sécurité du Canada par la supériorité de l'information Canada 21

22 l + l Communications Security Centre de la sécurité SNOWGLOBE. CSEC assesses, with moderate certainty, SNOWGLOBE to be a state-sponsored CNO effort, put forth by a French intelligence agency Préserver la sécurité du Canadapar la supériorité de l'informatioi TOP SECRET // COMINT / n 11*1 Canada TO CAN2MJS, GBR, NZL, L

23 Overall Classification: TOP SECRET IICOMINTII REL TO CAN, AUS, GBR, NZL, USA I ^ I Communications Security / Centre de la sécurité SNOWGLOBE Program C2 nodes worldwide (including Canada, US, UK) - Free hosting - Compromised 3 implants - SNOWBALL 1 - SNOWBALL 2 - SNOWMAN Victims in Spain, Greece, Norway, France, Algeria, Cote d'ivoire - Intense focus on Iranian science and technology organizations Likely French intelligence - Specific agency unknown J'A 1 Préserver la sécurité du Canadapar la supériorité de l'informatioi I d U c l TOP SECRET // COMINT // REL TO CAN2AUS, GBR, NZL, L

24 l + l Communications Security Establishment Canada Centre de la sécurité des télécommunications Canada What We Don't Know Any persona details How they get their non-free LPs - Exploitation? - Special source? Last hop (operator to infrastructure) - Believed to be Tor-based... Which agency within the French intelligence community might be responsible - Who's driving the intelligence requirements Efforts against the SNOWMAN crypt continue Préserver la sécurité du Canadapar la supériorité de I'informatioi v d l IdUcl TOP SECRET // COMINT // REL TO CAN,1AUS, GBR, NZL, L

25 l + l Communications Security Centre de la sécurité QUESTIONS AND COMMENTS Discovery Development Victimology Attribution SNOWGLOBE Questions Préserver la sécurité du Canada par la supériorité de l'information Canada UNCLASSIFIED 25