CYBER ESPIONAGE AGAINST MARITIME TARGETS
Brandon Catalan, CISSP, CCE
Matthew Brady
April, 26 2018
SECURITYACCENTURE
Strategy & Risk | Cyber Defense | Digital Identity | Application Security | Managed Security Services
Copyright © 2017 Accenture Security. All rights reserved. 2
• Introductions
• Why are you here? Are you just interested in the subject matter or is it something else?
• Cyber Espionage: Then & Now
• Adversarial Targeting: Then & Now
• What Countermeasures Can You Employ?
AGENDA
Copyright © 2017 Accenture Security. All rights reserved. 3
INTRODUCTIONS
Copyright © 2017 Accenture Security. All rights reserved. 4
• Are you interested in the subject matter?
• Are you worried that your organization could become a target?
• Have you already become a target?
• Are you trying to figure out what to do?
WHY ARE YOU HERE?
Copyright © 2017 Accenture Security. All rights reserved. 5
BOTTOM LINE UP FRONT
• It’s pretty confusing out there
• “Is CE still a threat to my business?”
• “Do I have to worry about all of it?”
• “Do I even have to worry anymore?”
• “Chinese numbers are down”
• “Russians only care about elections”
• “North Korean doesn’t have the internet”
• For SENEDIA members, cyber espionage is more of a threat now than it was a decade ago
Copyright © 2017 Accenture Security. All rights reserved. 6
“IN THE BEGINNING…”
• 1998-99: Moon Light Maze
• 2003: Titan Rain
• 2007 – 2012: Heyday of Cyber Espionage
• China was king
• Large DIB contractors getting hit with overwhelming campaigns several times a day
• Gigabytes of data being exfiltrated per month
• 2013: NYT / Mandiant APT1 Report
• Publicly exposes individual PLA units and actors
• Chinese intrusion sets begin to scale back operations and abandon identified infrastructure
• 2015: U.S. China Cyber Agreement
• Provide timely responses to requests for information and assistance concerning malicious cyber activities
• Refrain from conducting or knowingly supporting cyber-enabled theft of intellectual property
• Pursue efforts to further identify and promote appropriate norms of state behavior in cyberspace within the international community
• Establish a high-level joint dialogue mechanism on fighting cybercrime and related issues
• Large contractors see sharp decreases in CN targeting
Copyright © 2017 Accenture Security. All rights reserved. 7
LEGACY CHINESE INTRUSION SETS
• ~ a dozen tracked intrusion sets in the heyday of Chinese cyber espionage
• Mainly attributed to Chinese military units, intelligence agencies, contractors
• Each intrusion set appeared to have very specific targeting requirements and did not deviate
• Most aligned with PLA technology requirements
• Individual actors began to accidentally self identify with the birth of social media
Copyright © 2017 Accenture Security. All rights reserved. 8
POST AGREEMENT
• Russia, Iran, North Korea fill the void
• In reality, they were always there!
• China just got the most attention because of high OPTEMPO and widescale campaigns
• Prior to 2016, Russian operators were extremely surgical
• Most Russian activity either went undetected or was misattributed as Chinese
• 2016 activity was noisy
• Iran and North Korea develop their programs with help from foreign guidance
• Intelligence points to NK operators training and operating inside China
• Iranian actors have also likely trained and operated outside of Iranian borders
• Historical Iranian collection requirements largely include UAV and AUV technologies
Copyright © 2017 Accenture Security. All rights reserved. 9
NORTH KOREA – CHINA PARTNERSHIP
Is it a coincidence that when Chinese campaigns decreased, NK campaigns increased?
• North Korea relies on China for…pretty much everything
• Internet connectivity!
• Chinese and NK collection requirements overlap with one another
• Share the same adversary
• Interested in the same technologies in order to develop countermeasures and reverse engineer
Quid pro quo?
Copyright © 2017 Accenture Security. All rights reserved. 10
NK – CN, CONT.• NEEDLEFISH
• AKA Lazarus, Unit 121, etc.
• As a result of recent (24 months) activity, represents one of our most active and tracked intrusion sets across the board
• Would likely not be possible without Chinese training, intelligence sharing, & infrastructure
• According to open sources and our targeting analysis:
• First domestically developed ballistic missile submarine (Sinpo-C class)
• Ability to deploy into the Pacific undetected and launch nuclear-tipped missiles when ordered to do so
• Upgrade existing sonar capabilities
• Develop countermeasures for SM-3 Block IIA
Copyright © 2017 Accenture Security. All rights reserved. 11
CHINESE OPERATIONS
• As discussed earlier, Chinese numbers against US targets significantly down following 2013-2015 events
• Pacific Rim maritime targeting actually increased
• Taiwan, Vietnam, Malaysia, Singapore, Philippines, Japan, South Korea
Copyright © 2017 Accenture Security. All rights reserved. 12
CHINESE OPERATIONS, CONT.
• “MUDCARP” resumes campaigns against US based targets
• Intrusion set likely sponsored and directed by Chinese government
• Primary target includes US defense contractors and supply chain involved in maritime weapons platforms (especially those sold to US allies in Pacific Rim)
• “MUDCARP” actors actively seeking data pertaining to radar ranges and anti-submarine technologies
• Also may have an interest in navigational/plotting software
• Other targets include education, manufacturing, transportation & government entities within the maritime defense vertical
• Recent campaigns targeting the DIB leveraged targeted emails with malicious attachments and embedded URLs in the emails which pointed to adversary owned infrastructure
• “ARLUAS_FieldLog_2017-08-21.doc”
• “Torpedo recovery experiment” Subject line
• Malicious documents, C2 domains, and payload domains abused the brand of a major provider of ships, submarines, and other vessels with military applications
Copyright © 2017 Accenture Security. All rights reserved. 13
ARE YOU A VIABLE TARGET?
• Most of SENEDIA has likely fallen within adversarial collection requirements
Copyright © 2017 Accenture Security. All rights reserved. 14
BEST TARGET OF ALL…
• If I was targeting this group…
Copyright © 2017 Accenture Security. All rights reserved. 15
NOW WHAT?
• Before you panic, there are very simple countermeasures you can implement to help prevent or mitigate future campaigns…
• Think like the adversary…what makes you a target?
• What are your high value programs?
• Your cash cow programs?
• Or something else?
1. Employee awareness training
• The TTPs haven’t changed…keyboards and mouse clicks will put you out of business
2. Patching and updates
• Even the most advanced intrusion sets typically leverage older vulnerabilities
3. Blocking identified IOCs
• Many intel shops are now pushing outidentified IOCs in open source reports
• Free intelligence!!!
Copyright © 2017 Accenture Security. All rights reserved. 16
RECENT “MUDCARP” ACTIVITY
• Exploiting CVE-2017-11882
• 185.106.120[.]206
• 185.175.208[.]10
• 78.46.152[.]143
• 138.68.144[.]82
• www.vitaminmain[.]info
Copyright © 2017 Accenture Security. All rights reserved. 17
RECENT NEEDLEFISH ACTIVITY• Only “state owned” sites are supposed
to be hosted on 175.45.176.0/22 net range
• Academic, cultural, travel, general communist propaganda
• Likely RGB reserved IP addresses
• 174.45.176[.]40
• 175.45.176[.]144
• 175.45.177[.]160
• 175.45.177[.]150
• 175.45.177[.]180
• 175.45.178[.]19
• 210.52.109[.]134
Copyright © 2017 Accenture Security. All rights reserved. 18
RECENT IRANIAN ACTIVITY
Iranian operators are getting crafty with malicious domain names
Also very good leveraging social media as a collection/targeting vector
• account-google[.]co
• accounts[.]account-google[.]co
• accounts-yahoo[.]us
• araamco[.]com
• aol-mail-account[.]com
• drives-google[.]com
• dropebox[.]co
• facebook[.]com-service[.]gq
• google-mail[.]com[.]co
• saudi-government[.]com
• update-microsoft[.]bid
• windows-update[.]systems
• yahoo-proflles[.]com
Copyright © 2017 Accenture Security. All rights reserved. 19
QUESTIONS?
401.451.8037