John Pavelich

� Peter Hammerschmidt, Director General of National Cyber Security at Public Safety Canada, said: ‘Globally, cyber crime accounted for as much as $450 billion in losses’.

� ‘It’s evolved from being about young hackers looking to cause mischief into nation states collecting information on other countries’.

Ottawa Citizen, October 3, 2014

APT: Basics

APT refers to a specific model of attack associated with highly skilled

and well resourced threat actors that will persistently target specific

entities of interest.

APT can be attributed to State Actors, some Organized Crime Actors

and some commercial offensive cyber companies with the technology

and skill sets.

By now most Cyber Security experts are comfortable in their

understanding of wired APTs and the actors involved.

WAPT refers to a model of cyber attack whose vectors are entirely wireless

and incorporates a sophisticated hardware technology component called a

Complex Technical Threat Implant or CTTI.

• WAPT is very rare and not well known.

• One (in Canada) has been identified in the last 12 months.

• Alluded to by Snowden.

A distinguishing feature of the WAPT-oriented Threat Actor is the ability to

model, build, manufacture, integrate and test a CTTI similar to GUNMAN.

Let’s define this new threat class as the Wireless APT (WAPT) in order to

distinguish its unique characteristics and to show the detection capability

gap.

Wireless APT (WAPT)

Why Did the Wireless APT appear?

Threat Actors discovered that some targeted organization’s networks are

‘well defended’, ‘closed’ or ‘air-gapped’. Some organizations follow NIST

800-53 and the ‘Low Hanging Fruit’ cyber attack is gone.

Threat Actors experienced ‘mission failure’.

� “Igor, we can’t get in, all Internet doors and windows shut.

� Serge says no more voldka and caviar until get informations he need’.

� Dah, I work on it, I get us inside. First I moost find Veektor who built

‘GUNMAN’.

Experience studying GUNMAN (and other CTTIs) tells us that State Threat

Actors have excellent capability installing custom, sophisticated covert

devices inside well-defended facilities.

Ask Madelein Albright.

What do they want and why would they go to this extent?

Some potential targets:

Military:

• Nuclear Launch Warning.

• Defence R and D.

• High grade cryptographic keys.

Government:

• Trade negotiation information.

• Sensitive ‘Inner Cabinet’ information or policies.

Commercial:

• R and D.

• Economic Manipulation.

Critical Infrastructure:

• Industrial Control Systems.

In a ‘normal’ APT attack significant quantities of information are exfiltrated.

Until recently, only relatively simple, narrowband TTIs were available – only

suitable as key stroke loggers and wireless mics.

The available high speed wireless transmitting technologies were

recognizable, detectable, and very short effective range.

Short range = very high risk to the Threat Agent’s exfiltration post. State

Threat Actor is risk averse. Ask Stanislav Gusev.

WAPT needs a Waveform (vector) that is not easily detectable,

recognizable as a threat, or capable of being analyzed by the current class

of Electronic Warfare and Technical Surveillance Countermeasures

(TSCM) receivers and tools.

We still don’t understand a lot about how the implant behaves on the host.

We know it can be variable, depending upon desired outcomes.

Wireless APT: Some concerns

Older wireless technologies that have been available to the Threat Agent

Type Frequency (MHz) Channel Data Throughput Start / Stop

Citizens Band (CB) 27.00 / 27.40 < 10kHz 1.2 Kbit/sCordless Phone 43.00 / 43.99 < 10kHz 1.2 Kbit/sAir Walkie-Talkie 118.00 / 137.00 < 10kHz 1.2 Kbit/sMarine Walkie-Talkie 156.00 / 163.00 < 10kHz 1.2 Kbit/sPMR 430 433.00 / 434.80 < 10kHz 1.2 Kbit/sSat Phone (Iridium) 1616.00 / 1626.50 < 10kHz 2.4 Kbit/s

Low throughput

Narrow band (most are very easy for TSCM to detect)

Except for Iridium the data exfil point has to be close

The lower the frequency – The larger the physical size (for a clean signal)

CellularFamily

StandardPeak Data Rate(kbits/s)

Typical Data Rate

GSM

GSM-CSDHS-CSDGPRSEDGE

9.6/14.428.8/43/2115/171384/513

9.628.850115

UMTSFDDTDD

384/2000384/2000

144144

CDMAOneIS-95AIS-95B

14.464/115

14.456

CDMA2000IXIX EV

144/3072000

130

TDMA CSD 9.6 9.6

PDC i-mode 9.5 9.6

Old cellular standards did work, but had slow throughput , and were not standard everywhere.

Only Russian TSCM Detects/Analyzes GSM Standard!

In comparison to older cellular technologies , BlueTooth and WiFi have very good data speeds with very small physical footprints.

BlueTooth and WiFi are potential WAPT technology choices, butThe Threat Agent needs to be close to be effective and there are lots of defensive tools available for detect/locate/analyze/respond.

Cellular Wireless Signal Coverage can be modelled, allowing for remote RECCE and planning by the WAPT, thanks to geospatial databasesand satellite maps.

And along comes LTE and makes things high speed and standard around the world

LTE Advantages

High speed

Good coverage

Small physical footprint

Exfil point is anywhere in the world

LTE bypasses our NIDS

TSCM is in a ‘No Detect’ situation

Its encrypted ‘Out of the Box’

The WAPT will likely use LTE to ‘Hide in Plain Sight’

Now that I’ve convinced you about the use of the wireless vectorWhat else can we say?

• Application white listing doesn’t work

• CTTI has on-board processing, storage and RAM(Think Smart phone less the user oriented bits)

• CTTI is permanently attached to the host, so its powered forever

• CTTI is on the host bus, so its already authenticated to the network

• In a real slick install it’s machined or etched into part of the circuit board and can’t be easily verified by physical inspection

We obviously need to study this further!

Require better investigative tools

RF spectrum analysis is one key element

Three technique geo-location technology is another

Who will prove the threat(publicly) and provide the first ‘WAPT Capture’?

Questions?