ThreatConnect

Posts

Best Practices: Indicator Rating and Confidence

ThreatConnect enables users to assign a Threat Rating and Confidence to every single indicator… but what do those numbers really represent?  In order to enable your organization to make the best decisions, it’s important to standardize on the connotation attached to these ratings.  When your analysts, defensive integrations, and leadership all speak the same language regarding indicator impact, you can make more timely and accurate decisions.


Indicator Rating and Confidence –> https://youtu.be/B-ZPaMcqozg

Understanding Threat Rating

ThreatConnect allows you to assign each indicator a Threat Rating, measured as 0-5 Skulls.  Within the scope of your organization, you can define the difference between a 1 Skull indicator and a 5 Skull indicator.  If you’re having trouble making such decisions, or want your indicator ratings to match those across the ThreatConnect Cloud, it may be helpful to look at the Skull level definitions implemented by the ThreatConnect Intelligence Research Team:

ThreatConnect-Skull-Chart-0

  • Unknown (0 Skulls): There is not enough info to assess Threat Level.

    Example “I’m still working on the indicators in this Email’s header; I don’t know anything about that SMTP server yet.”

    ThreatConnect-Skull-Chart-1

  • Suspicious (1 Skull): There has been no confirmed malicious activity, but suspicious or questionable activity has been observed from an unknown threat.Example “I’m not sure why our users’ laptops keep visiting this URL, but so far I can’t see anything wrong with it.”ThreatConnect-Skull-Chart-2
  • Low Threat (2 Skulls): This indicator represents an unsophisticated adversary — it may be purely opportunistic and ephemeral, or indicate pre-compromise activity.Example “We see scans on that port from IP’s in that netblock all day.”ThreatConnect-Skull-Chart-3
  • Moderate Threat (3 Skulls): This indicator may represent a capable adversary — their actions are moderately directed and determined, and the indicator corresponds to the delivery/exploitation/installation phase.Example “That file hash represents a document pretending to be a Corporate Memo specifically targeting our company’s HR Department.”ThreatConnect-Skull-Chart-4
  • High Threat (4 Skulls): This indicator can be attributed to an advanced adversary, and represents that targeted and persistent activity has already taken place.Example “The callback address from that targeted ‘Corporate Memo’ masquerade is all over our access logs…”

ThreatConnect-Skull-Chart-5

  • Critical Threat (5 Skulls): This indicator represents a highly skilled and resourced adversary — it should be reserved for those adversaries with unlimited capability and is critical at any phase of the intrusion.Example “Start ripping servers out of racks; we’re bleeding customer data to that man-in-the-middle host!”

Using a standard Threat Rating will enable decision making across your organization, both at a human and machine level. If your Threat Intel analysts decide that an indicator is 5 Skulls, your Incident Response analysts can respond accordingly when it’s discovered. The knowledge transfer of context surrounding indicators is essential to making sure you’re putting your best foot forward.

Understanding Indicator Confidence

Of course, Threat Ratings only capture one dimension of context surrounding an indicator. Analysts rarely see such an attribution as a black and white problem. To address this, ThreatConnect allows you to model the confidence in your assessment as an integer between 0 and 100.

Screen Shot 2015-11-23 at 8.50.46 AM

Analyst-Derived Confidence

Confidence can be set manually — perhaps an analyst has only found the tip of the iceberg in C2 redirects, and isn’t ready to commit to their assessment of that entry point. Likewise, your confidence in your Threat Rating assessment may vary based on the timeliness of the available data, or knowledge about your adversary’s tactics and techniques.

ThreatConnect assigns ratings on the following scale to denote separate levels of confidence:

  • Confirmed (90-100)
    The assessment has confirmed by other independent sources and/or through direct analysis. This assessment is logical and consistent with other information on the subject.Example “That executable is definitely dropping a known malware variant.”
  • Probable (70-89)
    Though this assessment is not directly confirmed, it is logical and consistent with other information on the subject.Example “That URL has the same nonsensical 15-character path at the end as other known bad URL’s, but is on another host.”
  • Possible (50-69)
    The assessment is not confirmed, and is somewhat logical, but only agrees with some information on the subject.Example “That email address has the same username as the My Documents path when we reverse engineered this malware…but it’s a pretty common name.”
  • Doubtful (30-49)
    This assessment is possible, but not the most logical deduction, and cannot be corroborated or refuted by other information on the subject.Example “The scans came from an IP address rented from this VPS provider…we’ll have to dig deeper to see if it’s actually bad.”
  • Improbable (2-29)
    This assessment is possible, but not the most logical deduction, and is directly refuted by other information on the subject.Example “The file calls back to a host which appears to have been taken down, maybe that C2 host has since been rotated.”
  • Discredited (1)
    This assessment is confirmed to be inaccurateExample “That’s not malware, that’s just a poorly-written PowerPoint presentation.”
  • Unassessed (0)
    No confidence has been assigned to this indicator.

Automated Confidence

As time goes by, your analysis may be less relevant as indicators become stale. ThreatConnect can actually decay the confidence of indicators over time if they’re not being touched. This allows you to “age out” indicators that you saw years ago… they may have been high Threat Rating at one point, but your ability to say that may decrease over time.

This rate of confidence deprecation is configurable within each Organization, Source, or Community. Every day that an indicator goes untouched, that indicator’s confidence will deprecate by the configured amount. ThreatConnect can even delete the indicator if its confidence reaches zero.

Putting Threat Rating and Confidence to Work

Threat Rating and Confidence are great measures for two separate dimensions of an indicator’s relevance. An adversary that aggressively rotates C2 infrastructure may result in a slew of 5 Skull, 0 Confidence indicators. A script kiddy launching attacks from his attributable hacker domain may result in a handful of 2 Skull, 100 Confidence indicators.

The important thing about Threat Rating and Confidence is that you use them to drive decision-making. By implementing the above best practices, you can begin to leverage the analysis that you’ve modeled in each indicator’s respective ratings. You can write a TC Exchange application to extract all high-confidence 5 Skull indicators to initiate scans within your network. Alternatively, you could leverage an existing TC Exchange application written in conjunction with one of our partners to automatically block or alert on indicators that meet such parameters.

Standardizing on the meaning of Threat Rating and Confidence allows you to take action within the scope of your organization or contribute to the greater community.   You worked hard to find and triage all those indicators; now make them work for you!

For more information on ThreatConnect’s Threat Rating and Confidence, please download our “Evilness Rating” tool here.

Screen-Shot-2015-11-19-at-1.19.29-PM

ThreatConnect and Maltego

ThreatConnect® has partnered with Malformity Labs LLC to develop a full transform set that allows for data from ThreatConnect to be integrated with the capabilities of Maltego.

All ThreatConnect customers can take advantage of our partnership with Malformity Labs LLC and use the Maltego transform set through the ThreatConnect®  API and a provided transform server. Customers can use this to:

  • Visualize the relationship between incidents, threats, adversaries, and indicators,
  • Uncover relationships between your private data in ThreatConnect and Community Data,
  • Leverage attributes belonging to indicators and threats to create Maltego graphs without losing any of the contextual data within ThreatConnect, and
  • Pivot from ThreatConnect data and external open source data sources using other transform sets within Maltego.

With more than 100 transforms to query and pivot through ThreatConnect’s data, users can easily model threat and the relationships between malware, domains, IPs, and other indicators to the incidents they were observed in, threats they are associated to, or adversary personas.  The use cases are numerous, but to help illustrate how it works we’ve picked a few scenarios to step through how a customer with access to ThreatConnect’s premium features could quickly visualize content and relationships. Click here to learn more about ThreatConnect’s premium service offerings.

You can click on any image below to view the graph larger. Want more?

Maltego Webinar Training

Take a deep dive into our 100+ Maltego transform set. View the webinar slides here.

Scenario1: Visualizing Incidents tagged with Ukraine

1. Imagine you are an organization that is particularly concerned about Ukraine themed targeting. The first step is to look for any instances of targeting, documented as Incidents, that are tagged with “Ukraine” within the ThreatConnect Subscriber Community.  This yields five results, shown below.

threatconnect-maltego-1

2. For additional high level context, you can then pull all other Tags related to these Incidents. This yields several other interesting results. You have a clear view of several interesting Tags now including multiple matches on the use of CVE-2012-0158. It is notable that all the Incidents are also tagged “Russia” and “Advanced Persistent Threat”.

threatconnect-maltego-2

3. Now, to take a deeper look at the context of the Incidents, you can pull all of their Attributesfrom within ThreatConnect. This yields more in-depth descriptions, sourcing, and write-ups of tactics, techniques, and procedures (TTP’s) used in the Incidents.

threatconnect-maltego-integration-3

4. Since the focus is not on targeting to or from China, you can focus on the Incidents that don’t contain that Tag and are only Ukraine focused. Using Maltego, you can pull all the Indicators associated with the incidents of interest.  This yields six IPs, 27 MD5 hash values (including imphashes), 4 Domains, and 2 URLs, all with their own unique context and associations.

threatconnect-maltego-integration

The indicators found can then be used to for monitoring and detection across the network. You can also continue to pivot to discover other relationship on the Indicators in the ThreatConnect Subscriber Community, in other ThreatConnect public Communities, within your own private organization data in ThreatConnect, or by leveraging other Maltego transforms to look for data sources external to ThreatConnect. The possibilities are endless.

Scenario 2: Pivoting on Malicious Registrants from Reverse Whois data, Passive DNS, and DNS monitoring.

1. In this scenario, you can start by taking a domain registrant email address* whose domains are known to show up as malware callbacks.

threatconnect-maltego-5

2. Next, pivot via a transform to pull the Adversary entity associated with this email address.threatconnect-maltego-6

3. Next, leveraging a running Track on the registrant email address within ThreatConnect, you can discover any second level registered domains associated with that email address. With passive DNS (pDNS) integration you can discover any third level domains that have been observed “in the wild” as well. One transform query on the graph below shows all domains associated to the Adversary. For the sake of the size of the graph, we’re looking at just a small subset of the known domains.

Logo-ThreatConnect-Partner-Maltego

4. Now, you can go even deeper and utilize the DNS resolution monitoring for domain indicators within ThreatConnect to observe any overlap in IP address resolutions with date and time of resolution annotated. This yields 22 IP addresses for the over 80 domains in your subset.

threatconnect-maltego-8

Some of the IP addresses will undoubtedly be parking IPs (such as the loopback 127.0.0.1), but others will show historic trending of use of the IP for Command and Control. Leveraging passive DNS again within ThreatConnect, you could check to see if any other suspicious domains have resolved to these IP addresses and assess them further.

This allows you to not only use these domains and indicators as IOC’s across your network, but you can now proactively monitor known infrastructure such as known Command and Control IP’s, domains, and the registrant address itself for activity. This creates a predictive defense against a known adversary, following their movements using concepts true to the Diamond Model of Intrusion Analysis.

For more information on how you can start taking advantage of the ThreatConnect and Maltego partnership, contact us today.

 

OPM Breach Analysis: Update

OPM Breach Analysis

As highlighted in our recent webinar with Rick Holland, when there is a security event of great magnitude, organizational leadership will want to know as much as possible about the technical WHAT and HOW, as well as the WHO and the WHEN.

In many cases, not all of these questions can be answered definitively; however, our inability to answer specific questions does not negate the intelligence requirement, nor does it allow the decision maker to sidestep the decision point that they face. Below are some common questions that we have been asked over the past few days from a variety of organizations regarding our analysis of the recent OPM breach, of which we have included a recap of public reporting to support our position(s).

Who do we believe is responsible?

Based on open source research and technical analysis, we believe that Chinese-based actors operating on behalf of the government of the People’s Republic of China (PRC) are responsible for the 2015 OPM breach. Although the specific group(s) responsible for this activity have proven to be somewhat amorphous, many independent researchers and threat intelligence analysts with familiarity of this ongoing activity will concur that the ultimate benefactor of the stolen data is the central government in Beijing.

We stress that it is most likely a cohort of Chinese actors resourced and directed by a common benefactor. The diversity of expert opinion and ambiguity which the security industry places on this particular threat may have been by design.  This could lend more credence to the working “Digital Quartermaster” theory originally introduced by FireEye and recently referenced within PricewaterhouseCooper (PWC) UK’s analysis of Scanbox II Threat Intelligence Bulletin, which featured facets of this particular threat.

One thing for certain is that despite the common uncertainty and consensus, this activity has been the catalyst for increased shared awareness, technical information sharing and analytic collaboration.

Why we believe it is China

  • We feel that there are transitive properties associated with the technical aspects of the activity observed thus far.
    • We can strongly tie Chinese based actors to faux Wellpoint (Anthem), Premera, Empire BlueCross Blue Shield and CareFirst themed infrastructure.
    • We can tie infrastructure observed within a campaign that targeted a Virginia-based defense contractor VAE, Inc. to a named Chinese professor at Southeast University with ties to Beijing TopSec.
      • This campaign used the Sakula malware with the same digital signature seen in the Wellpoint themed campaign. This infrastructure was configured for survivability within VAE, Inc. enterprise.
      • Activity and dates associated with the faux VAE, Inc. infrastructure align with the timeline of a hacking competition sponsored by the Chinese Professor, Southeast University and TopSec Beijing, both with organizational ties to the Ministry of State Security (MSS).
    • We can strongly tie malicious infrastructure that maintains an Office of Personnel Management (OPM) theme to registration patterns observed with the faux VAE, Inc. themed infrastructure.
      • The actors used GoDaddy to register faux VAE, Inc. and OPM themed domains.
      • In both instances, actors falsified domain registration data with Marvel “Avengers” themed first and last names.
      • Attackers also used “throw away” GMX email accounts that maintained a pattern of <10 random alphabetic characters>@.gmx[.]com.
      • The timeline of faux OPM themed infrastructure activity is congruent with this official OPM timeline.

Have we seen this type of activity before?

The theft of government PII, and even a breach into OPM’s network, is nothing new.  In 2013, the private firm USIS (a contractor retained by OPM to conduct background investigations on federal employees) reported falling victim to a sophisticated state-sponsored network intrusion. This breach received widespread coverage and also great scrutiny and criticism from regulators on Capitol Hill.

As time went on, details of the compromise began to spring forth. In a report compiled by Stroz Friedberg, the investigations revealed that the attackers had gained access to USIS networks via an unidentified SAP enterprise resource planning (ERP) software package vulnerability.  Fast forward to March 2014, just a few months after the USIS hack, OPM would be breached, first announcing the breach in July 2014.

Additionally, consider the Wellpoint/Anthem, Premera, Empire and CareFirst hacks all had one thing in common: they are all part of the Blue Cross Blue Shield Association.  BCBS provides healthcare services to the Federal workforce.

In the case of the Spring 2015 healthcare breaches, we have reported in the past that the attack nexus was indeed China, likely state-sponsored in nature, and relied upon the Sakula malware to gain initial entry.  Additionally, as was the case in the USIS and OPM breaches, similar PII data was targeted (names, employment history, social security numbers, etc.).  All of these things considered suggest a greater degree of correlation as opposed to mere coincidence.

Were there any previous indications or warning?

In 2014, Novetta and a number of supporting industry organizations including ThreatConnect banded together to produce Operation SMN: Axiom Threat Actor Group Report, a detailed report containing information pertinent to Chinese APT activity with an emphasis on HiKit malware. Of note, the report stated “Among the industries we observed targeted or potentially infected by Hikit [included] Asian and Western government agencies responsible for [a variety of services such as] Personnel Management.

A statement from such an industry group should have served as a key warning to government entities which were charged with conducting Personnel Management and warehousing PII.

Where did the HiKit Rootkit Originate?

At the 2015 Kaspersky Security Analysis Summit, Kris McConkey with PricewaterhouseCooper (PwC) UK delivered a compelling presentation based on research from fellow PwC Chinese research analyst Michael Yip.

missll1

McConkey  highlights the development of Adversary Intelligence surrounding a Chinese-based actor likely responsible for developing the HiKit capability as well as associations with a particular ZoxPNG sample. Both HiKit and ZoxPNG malware would be considered “tier one” unique custom capabilities, as opposed to some of the more lower end, commonly distributed implants such as ZxShell, PlugX, Gh0st or PoisonIvy.

finalcheckpoint

It is critical to highlight that we are not drawing lines between Axiom / Hikit and current activity, other than to note that Chinese actors posed legitimate threat to Western government personnel management organizations.  Irrespective of which threat posed the greater risk, there were indications that the Chinese maintained both capability and intent to target OPM as witnessed in 2014.

Is the OPM themed infrastructure related?

Based on our current understanding of the attackers and this activity, ThreatConnect suspects that the recent OPM attackers may have chosen the specific infrastructure naming convention (opmsecurity[.]org and opm-learning[.]org) to emulate an official OPM training resource that has been maintained outside of the OPM enterprise for some time. This emulation technique has been observed consistently across these seemingly related events.

If we are to couple the terms OPM (both Security AND learning) within a .org TLD, we identify the following web resources.

OPMLEARNING

These online training resources currently fall outside of standard .gov enterprise and ironically provide online training and security awareness training services for OPM as well as numerous other federal departments, agencies and commercial clients.

Analyst Comment: Currently there is no evidence that suggests golearnportal[.]org has been co-opted or is compromised in any way.


opmawareness

OPM-LEARNING[.]ORG

As we highlighted in late February, the domain opm-learning[.]org was registered on July 29, 2014 by “tony stark” (vrzunyjkmf@gmx[.]com) and is observed active within pDNS as early as July 30, 2014, resolving to 50.117.38[.]170. This IP belongs to Egihosting, (EGI) a company based out of California, but it is known to resell VPS services in China.

EGI’s network was designed with redundancy in mind, including a multi-homed setup of upstream providers like Global Crossing, nLayer, HE.NET and Highwinds. Our network has excellent direct connectivity to China and Asian networks and provides optimal routes to both domestic and other international destinations, including the often problematic and congested Chinese and Asian markets.

egihosting

It is important to note that OPM first announced the first breach on July 10, 2014. However, the actors would register opm-learning[.]org 19 days later, on July 29, 2014, at which point the domain resolved to a domestic VPS service which boasts optimal routes to China on July 30, 2014. At the time of our reporting in February 2015, we assumed that the opm-learning[.]org infrastructure was a remnant of ongoing OPM 2014 breach activity. We now assess that opm-learning[.]com was likely either:

  • Used as a means for the original actors to reconstitute lost access from the initial 2014 breach.

OR

  • Used by another group or team which was moving to establish new access.

Needless to say, a 19 day window from the 2014 breach announcement to establishment of new infrastructure is a noteworthy datapoint.

OPMSECURITY[.]ORG

On the heels of the recent 2015 OPM breach announcement, we worked with our friends at DomainTools who helped us apply a custom search technique that we had been experimenting with, from which we shared noteable outputs to our ThreatConnect Community. A refinement of that experiment yielded the domain opmsecurity[.]org.

Retrospective analysis of this domain indicates that it was registered on April 25, 2014 (four days prior to the We11point[.]com) where the first observed instance of it active (outside of GoDaddy resolutions) was early as December 18, 2014 resolving to 148.163.104[.]35 until June 3, 2015 (a day before the official OPM breach announcement).

According to an official OPM FAQthe intrusion occurred in December 2014, OPM became aware of the intrusion in April 2015, and became aware of potentially compromised data in May of 2015. This timeline is congruent with technical observables associated with the opmsecurity[.]org infrastructure. ThreatConnect assesses with high confidence that the opmsecurity[.]org infrastructure was leveraged within the 2015 OPM breach.

dot135

The IP address 148.163.104[.]35 also resolved the suspicious No-IP dynamic domains ladygagagaga.serveblog[.]net and jamlitop3.zapto[.]org from April 27, 2015 to early May 2015.

370host

As we research both ladygagagaga.serveblog[.]net and jamlitop3.zapto[.]org we find that as of June 9, 2015, both C2’s resolve to 107.167.75[.]138, a Chinese VPS Provider 370Host[.]net, purportedly within a colocation facility in Phoenix Arizona.

What malware was used?

ThreatConnect assesses with moderate to high confidence that the opmsecurity[.]org domain was likely used within a PlugX variant based on a single VirusTotal URL submission. This URL contains the C2 callback URI structure “/DJMoqoirjvmimzzv/view/update?id=”, which is associated with the malicious DLLs MD5: 683a3e4448b7254d52363d74e8687f36 and MD5: c28ecee9bea8b7465293aeeef4316957. These DLL binaries are detected by multiple antivirus vendors as PlugX, which is likely an accurate malware classification considering the use of the “/update?id=” callback URI segment is specifically associated with the Destroy RAT aka Sogu family of malware, the direct precursor to PlugX.

Similar binaries found in VirusTotal are as follows:

  • 23DE2AFF9DBE277C7CE6ABBD52E68CE6
  • 4CED16CEB9C3BC50787303EC5C4DA0B8
  • BDDF02095971F6A309C68CFDFAAA3648
  • C51F43F860535CFA9B2F4528A5FE2877

Each of these binaries contain the hardcoded command and control IP address 46.21.150[.]165 (Fremont, California). This IP address also has passive DNS resolution history from the following suspicious domains:

binghomton[.]com

This domain was initially registered by abit572@yahoo[.]com, then switched over to a nine character, likely pseudorandom, GMX registrant of ton0251sx@gmx[.]com. The fact that this domain is registered by a seemingly random gmx.com registrant is noteworthy considering a similar registration profile was used in the faux OPM domains listed above. This domain may be a typo-squat impersonating a reference to Binghamton, a town and State University in New York.

sunnysoldier[.]com

This domain was registered in 2012 by 904726926@qq[.]com, then again in April 16, 2014 by the Chinese reseller “Li Ning” li2384826402@yahoo[.]com who has been identified previously in similar activity.

teko.mooo[.]com

This dynamic DNS domain currently resolves to 103.6.207[.]37 (Indonesia).

The use of a GMX registrant and the Li Ning reseller in the overlapping domains closely mirrors the registrant profiles associated with the Sakula campaign activity from the Wellpoint and VAE, Inc. targeting campaigns as well as in the faux OPM domains highlighted above. This leads ThreatConnect to assess with moderate confidence that the PlugX APT malware activity associated with the VirusTotal URL and related hashes is attributed to the actor that is using Sakula and leveraging the faux OPM domains. The timing of registrations and resolutions between the original June 2014 OPM breach announcement and the 2015 OPM breach announcement is noteworthy.

Conclusion:

To many, it may seem absurd that a foreign government would want to gather a database of federal employee PII. Some have noted that this information is likely of greater value to criminal actors, and that it wouldn’t be nearly as helpful to enable spearphishing in the future, as social media profiles often hold higher quality intelligence used to socially engineer a victim.  While all of this is true to varying degrees, consider that we may be looking at this from the narrow perspective of the short-term.  Building up a PII database could fulfil a number of strategic goals well into the future.  The long game strategy is characteristic of Chinese thought, and may very well be what is at play here.


Want to learn more and follow the latest updates? Register for a free organization account here or an individual account of ThreatConnect below to get started.

What the Verizon DBIR Says About Threat Intelligence Sharing

Before we get started on Verizon’s 2015 Data Breach Investigations Report (DBIR), let’s address the elephant in the room. I created the DBIR back in 2008 and have led the excellent team that produces it since then (including the new 2015 edition). In a purely coincidental twist of timing, I joined ThreatConnect mere days before the 2015 DBIR released. The nifty thing about this is it allowed me to write the “DBIR is out” blog post for Verizon as well as this one featuring ThreatConnect’s takeways and contributions to the report. Pretty cool, right?

Center stage, second page

It offers a compelling proofpoint that sensitive data can be shared–even across national and competitive boundaries–to improve security awareness and action.

In case you didn’t know, ThreatConnect is one of the 70 organizations that contributed data to the 2015 DBIR (2nd logo page, dead center). I’ll get into what we provided soon, but this is actually the first important takeaway; the DBIR represents a very large, global, public-private info/intel sharing community. It offers a compelling proofpoint that sensitive data can be shared–even across national and competitive boundaries–to improve security awareness and action. I love this aspect of the DBIR and what it means for our industry. In fact, my desire to leverage a platform to aggregate and analyze intelligence in a more ongoing, operational capacity across an even larger community is what led me to join ThreatConnect.

2015 DBIR logo pages. Look - there's ThreatConnect!

The scope and structure of the DBIR is quite different this year. Typically, the report focuses on data breaches and the who, what, when, where, why, and how behind them. That’s all still in there, but the 2015 version goes “Before and Beyond the Breach” to examine things like industry threat profiles, financial impact models, vulnerability disclosures/exploits, and intelligence sharing trends. As you may have guessed, the latter formed ThreatConnect’s contribution to the report.

She shares IP snares by the softwares

Using high-level data across 15 intel-sharing communities within ThreatConnect (some comprising distinct verticals, others a combination of regional or threat-focused participants), we aimed to give insight into the types and level of sharing and how these dynamics may differ across groups. The specific numbers in the figure below aren’t as important as their basic message: communities are sharing (and that’s good), but they could be sharing (and benefiting) more.

Types and percentages of indicators shared within various ThreatConnect communities

IP addresses are often the initial ante for intel sharing, but become much more useful when connected to other IPs, context, domains, emails, malware, campaigns, adversaries, etc. I’m keen to learn more about how communities can leverage the ThreatConnect platform to increase the diversity and depth of sharing and analysis. The rest of the DBIR’s intel section makes a solid case for why this maturation process is so important. Many intel providers boast about having the best indicators of compromise (IOCs), and typically back this up with some claim on exclusivity. The DBIR will surely take the wind out of a few sails (and maybe sink a few RSA Conference presentations too). It compares 50+ IOC feeds over a 6 month period and finds they all exhibit high levels of uniqueness. That exclusivity card is looking less and less like a winner, isn’t it? Instead, the report suggests the winning strategy will aggregate numerous sources of IOCs to build the strongest possible hand. At this point, you might suspect I’m stacking the deck to convince you investing in a threat intelligence platform is a smart move, but I assure you that I’m not. I don’t need to; the data’s doing that for me.

Comparison of uniqueness among threat indicator feeds.

The intel section in the DBIR also studied how quickly IOCs (mostly IPs) need to be shared in order to create a kind of “herd immunity” where we’re all safer together. Three-quarters of attacks (with a common IOC) spread from the first victim to the second victim within a day. The report also shows most IOCs have a relatively short shelf life, often lasting only hours between their first and last observation in the wild. As the report states, “that puts quite a bit of pressure on us as a community to collect, vet, and distribute indicator-based intelligence very quickly in order to maximize our collective preparedness.” We need to close the gap between sharing speed and attack speed.

Reading between the lines

Reinforcing the need to close gaps, the infamous “detection deficit” chart introduced in the 2014 DBIR is back this year. It contrasts how often attackers (orange) compromise the victim’s network in days or less with how often defenders (teal) discover the compromise in the same interval. Attackers usually get their job done within days, yet defenders usually don’t. This creates the so-called deficit between attacker timelines and defender timelines. The deficit was less than it ever has been before, but it’s it’s still too wide and too early to declare victory just yet.

Attacker time to compromise vs defender time to discovery

What you can’t see from the deficit chart is how defenders discover incidents. The 2015 DBIR doesn’t provide a comparable figure, so I’ve borrowed the one below from last year’s report. Overall, breach discovery isn’t a happy story, but there is a ray of sunshine peeking through the figure. The quickest rising discovery method is third party notification, and while not stated on the label, this is usually due to observations of the victim communicating with known adversary infrastructure. I include it here because it provides another data point on how intelligence helps level the playing field by informing defensive action.

2014dbir_discovery

Cousins by chance, friends by choice

Another section in the report, Industry Profiles, isn’t about intelligence per se, but it most certainly has ramifications for how we share and use it. Besides that, I find it incredibly well-written and insightful, and I’m sure whoever wrote it must be wicked smart. ;-b The figure below is the handiwork of a clustering algorithm that places industries with similar threat profiles in proximity to one another. The DBIR explains it well:

Each dot represents an industry “subsector” (we chose to use the three-digit NAICS codes—rather than the first two only—to illustrate more specificity in industry groupings). The size of the dot relates to the number of incidents recorded for that subsector over the last three years (larger = more). The distance between the dots shows how incidents in one subsector compare to that of another. If dots are close together, it means incidents in those subsectors share similar VERIS characteristics such as threat actors, actions, compromised assets, etc. If far away, it means the opposite. In other words, subsectors with similar threat profiles appear closer together.

 

Clustering of industry subsectors based on similarity of threat profile

You should definitely read the report to get the whole story on this one, but my abridged version is that it challenges our notions of industry-based peer groups for things like info/intel sharing, compliance standards, and regulations. Notice how the subsector dots in the Public (92x), Manufacturing (32x and 33x), and Finance (52x) sectors spread out all over the place rather than cozy up close. The critical lesson here is there is no “financial sector threat profile;” consumer banks, investment firms, and insurance carriers have very different business and technology profiles. Thus, it only makes sense that their threat profiles would be different as well. And if that’s true, then we can’t expect all subsectors in a given industry to share the same intelligence requirements. Why, then, is it standard practice to organize info/intel sharing groups along industry lines? If these results are legit, they beg for those lines to be redrawn.

And this leads to my last pivot back to ThreatConnect. The platform lets users draw (and redraw) those lines to create custom intelligence communities around shared intelligence needs and threat profiles. Pretty cool, right? I think so. Being a part of the DBIR was a hugely rewarding experience in so many ways. But after 8 years of studying the problems we face as an industry, I joined ThreatConnect because I’m ready to start fixing them. I look forward to working with our communities, customers, partners, users, and friends to accomplish that goal together.

UPDATE: The Verizon DBIR team released an interactive version of the cluster diagram above. It’s definitely worth checking out.

TL;DR: The 2015 DBIR is out and ThreatConnect contributed. Info/intel sharing works and produces valuable results. But we all have some work to do in order to maximize those benefits. We need to share more, we need to share/analyze quicker, and we need to share/analyze smarter. I’m jazzed about helping to achieve those goals in my new role with ThreatConnect.

Get a free Community account of ThreatConnect now to get started analyzing data and participating in one of our communities. Upgrade to a Team or Enterprise edition for even more features.

ThreatConnect How To: Importing Indicators

There are many advantages to having a centralized Threat Intelligence Platform (TIP) to aggregate, analyze and act on your own threat intelligence. Among them, is empowering the threat analyst to interact with new threat data as it is aggregated by providing a direct interface to speed up their workflow. This makes collaboration easier and essential to the threat analysis process. Analysts using ThreatConnect can take a set of raw indicators from any source, be it human or machine generated, and use the features of the platform to breathe new ‘life’ and relevancy into their raw data set. What do I mean by ‘life’? I mean, having a collection of indicators that are just as dynamic as the adversary who leverages them. The indicator auto-enriches and is associated with relevant details tying them to the key infrastructure components used in a malicious campaign or attack. Indicators that are “alive” are not stagnant; they are not sitting idly on a spinning disk waiting to become obsolete, and with ThreatConnect, you can put them to work for you. Consider the time an analyst saves by having ThreatConnect answer a few questions that should be asked of any new indicator:

  • Who in my community, or among my internal ThreatConnect Organization, has seen these same indicators?
  • Has anyone already associated these indicators with another incident, threat or adversary?
  • For my host and IP indicators, what DNS and WHOIS lookup data can I obtain and how frequently has it changed?
  • Can I be alerted if this indicator updates or if someone else has seen it?

Having the ability to quickly and easily get answers to these questions is just part of what makes a community-driven approach to threat intelligence so powerful.

So, let’s begin with the basics of importing content into an incident:

Create an Incident:

One of the key features of ThreatConnect is being able to quickly organize your data, group it and associate it, developing an ever increasing amount of context over time. In this example, we will create an Incident but other groupings are available to us depending on what our analytic usecase may be.

Step 1:  Create

SS_Using_Create

Step 2:  Categorize and Enrich

We can apply as many system level or custom attributes to an Incident as we need to capture all of the relevant details. We can also apply Security Labels and custom Tags (a feature we will address later on in the context of indicators).

Now that we have an Incident created, it is time to populate it with raw information or finished analysis, depending on your preference/individual usecase. Let’s take a look at how we import data within ThreatConnect.

Importing indicators: Structured vs. Unstructured

Within ThreatConnect, structured data imports allow for maximum levels of user control over the data before it is imported and require less overhead afterwards. Since finding and aggregating indicator data in a structured format is not always possible, ThreatConnect also provides a powerful feature for parsing indicator data from unstructured sources such as text, PDF and other document formats. It also maintains analytic creature comforts such as “find and replace” features that can defang malicious URLs, domains, or IP Addresses that have been modified so they cannot be clicked on. This means you can grab any text from your favorite analysis blog or the latest PDF write up provided by <insert your favorite security vendor name here> and load it directly into ThreatConnect for indicator parsing and extraction. This dramatically speeds up analyst workflow and threat discovery by allowing analysts to completely bypass what would otherwise be a lengthy and unwieldy process of manual extraction and data massage. It also allows you to includeindicators in your analysis that may otherwise have fallen by the wayside in unread technical whitepapers or blogs.

ThreatConnect Research TIP: There are times you may want to just use only Structured or Unstructured imports,  other times, you may want to use both. It all depends on how the data is presented to you. Consider using the filtering feature to assign common attributes (Descriptions, Sources etc.) or ratings and confidence values. These can always be updated or changed manually or programmatically via the ThreatConnect API.

What follows is a quick, step-by-step guide on how to import a structured set of indicators:

Step 1: Import

To import data from within my ThreatConnect Account, I simply select import indicators from the top right menu bar:

SS_of_import_pull_down

I’ll want to select ‘STRUCTURED CSV’ since I am using a spreadsheet. For more information on how to structure your CSV, please reference the tool tip within the STRUCTURED CSV option.

SS_Structured_vs_Unstructured

Note that my CSV contains the correctly formatted indicator TYPE with the appropriate indicator VALUE. I have included a default DESCRIPTION and SOURCE attribute for additional context and referencing. Of the populated fields, the last two contain a ‘1’ and are optional as they tell ThreatConnect to enable automatic historical WHOIS and DNS lookup information for HOST indicators. It is important to note, that if your WHOIS and DNS results are not immediate post-import, don’t worry – ThreatConnect has scheduled them and they will be auto-enriched.

ThreatConnect Research TIP: It is a good rule of thumb to enable the WHOIS and DNS tracking feature because you want ThreatConnect to update any infrastructure or registration changes. ThreatConnect will also make associations to overlapping WHOIS metadata and DNS resolutions, revealing any non-obvious relationships over time.

By default, the target destination you will import your data into will be your private individual or organization account. However, you have a choice to import data directly into a community to which you may belong – such as the Common Community.  Keep in mind that these communities may have their own anonymity and data sharing policies and code of conduct, so it is important to first understand the differences between private imports and community imports.

ScreenShot_Import_target

Step 2: Validate

In this step, I simply need to validate that all eight fields were correctly identified. Thankfully, ThreatConnect helps you during this validation process. If you happen to have errors at this point, just double check the structure of your CSV and make sure it conforms with the format outlined in the import tooltip. After clicking next, I can then validate that all ten of my indicators were found.

Step 3: Confirm

In this step, I will confirm which of my indicators are new and which already exist within my communities. Here, I can see that all ten of my indicators already exist. This is good news because it means somebody else within my organization or community has already done some initial analysis and it ensures that nobody has to do the same work twice. I also have the option to view existing indicators to ensure they are not already associated with the Incident, Threat or Adversary I am currently working. If your indicators already exist in the system, re-adding the existing indicators, will append any new Description and Source to any existing indicator Attributes you have access to, capturing new information regarding indicators that may be “repeat offenders”.

Step 4: Security Labels and Tagging

Once confirmed, I want to select Security Labels appropriate for my intended audience. Security Labels allow me to set custom security controls around the Indicators themselves as well as associated context within the Attributes. I may also want to tag my indicators. Tagging is a powerful way to make it easier for other analysts to quickly identify and categorize my data and associate them with similar intelligence themes.

ThreatConnect Research TIP: Security Labels are very handy when classifying Indicators, Groups or Attributes. Security Labels allow you to convey your intent as to whether the content can or cannot be shared, as well as how the information can be used. Examples that ThreatConnect Research have created and used are CLIENT CONFIDENTIAL or APPROVED FOR RELEASE.

Step 5: Create New Associations and Save

Finally, in this final step,  I will associate my Indicators with an existing corresponding Grouping, e.g., Incident, Threat, Email or Adversary, I created and hit save. Note that Indicators can also be associated with specific adversaries, threats, signatures, emails, tasks and documents.

Unstructured Data Import

When importing an unstructured set of Indicators, I will mostly follow the same process. The key difference only applies to steps 1, 2 and 3, so these next instructions will focus only on what is different during an unstructured import.

Step 1: Import

I begin by importing a PDF file that I obtained from a great whitepaper on the “Inception Campaign” from the Blue Coat Labs blog.  This write up contains a plethora of indicator data that would take far too long for me to manually parse myself, but I want to immediately capture it, enrich and go hunting for some of the content within my defensive integrations.

Step 2: Validate

When importing from unstructured data, it is important to note that the parsing engine will extract anything and everything that looks like an indicator. This will often include hostnames, email address, URLs and IP addresses that are not malicious but referenced in the document. Analysts will need to validate that the indicators are of interest and prune those not of interest before the import to ensure that the desired content is captured.

SS_Parsed_Indicators

Step 3: Confirm

After validating the data, I have the option to add Description, Source, Rating and Confidence. Note: Any change I make here is applied to all of my Indicators. Since these values will vary with each indicator, I will choose to skip this step and apply the necessary changes to each indicator individually, after I finish my import.

SS_Confirm_Indicators

Conclusion

Unfortunately, for far too long, the state of the art for many Threat Intelligence Teams was email and spreadsheets. Keeping track of multiple dynamic threats over extended periods of time no longer scales to the features of basic office automation. Content and context are everywhere, from analyst inboxes to download folders. With ThreatConnect, analysts can now resurrect what would otherwise be forgotten threat intelligence, allowing analysts to put that data to work within a Threat Intelligence Platform. Getting data into a Threat Intelligence Platform should be as quick and efficient as possible so that time is spent analyzing threats, not munging and massaging data. This is why ThreatConnect gives our users several interface options to Import and populate their Individual or Organization accounts. In future “How-Tos”, we will cover the ThreatConnect API and explain how to automate the ingestion of threat intelligence. Want to breathe new life into your Threat Intelligence? Register for a free Community ThreatConnect account to get started, or choose one of our premium account options for more robust features. Learn more about how ThreatConnect can enrich your organization’s data.

ThreatConnect Announces Investment from Grotech Ventures

Today, I’m proud to share that ThreatConnect has announced a $4 Million Series A investment led by Grotech Ventures and other strategic partners. You can read more about the specifics here. Grotech Ventures is one of the premier East Coast venture capital firms and we are excited to have them on board as our partners as we embark on this next stage of growth.

We are very excited that our hard work has been recognized. Our company was founded on the idea that everything revolves around people, and we still feel that way. Our people built this company and allowed us to be what we are and grow at the phenomenal pace that we have. In fact, in June we were selected by the Northern Virginia Technology Council (NVTC) as the Hottest Bootstrap Company in recognition of what we had been able to do to that point without outside capital. ThreatConnect was built on the feedback of our analysts out in the real world, and together we have shaped the threat intelligence market overall – something we are very proud of.

We  have over 3,000 users on ThreatConnect.com, and over 40 of the Fortune 100 using ThreatConnect, and we have a bright future ahead for all of our customers and staff.

Thank you to all of our team members, customers, partners, and friends for your continued support and for having a hand in building the next big security company success story. We could not have done this without all of you, and I hope that you are as excited as I am about the company’s future.

Debugging the Pakistan Cyber Army: From Pakbugs to Bitterbugs

For over a year, the ThreatConnect Research Team has been tracking Pakistan-based cyber espionage activity associated with a custom malware implant recently dubbed “BITTERBUG.” In August of 2013, we reported our initial findings and analysis of the malware. In 2014, we teamed with FireEye to publish a comprehensive overview of the activity within Operation Arachnophobia.

As we continue to delve into the details surrounding this activity, we are uncovering more information about the personas and relationships between identified individuals and organizations. These new data points introduce additional questions about actor relationships, their respective levels of involvement in other hacking activities, and the likely motivations of those involved.

The Pakistan Cyber Army:

In one vein of our research, we focused on specific defacement activity that occurred against notable Indian websites between 2008 and 2010, specifically, defacements originally claimed by the Pakistan Cyber Army (PCA).

ongcdeface

One of the earliest dates we could identify involving the PCA, was the November 24th, 2008 defacement of www.ongcindia.com, India’s Oil and Natural Gas Corporation Ltd. (ONGC). Within the defacement content, we observed the attackers using the statement “We were sleeping but not dead”. This defacement also contained tags of the presumed defacers: “HAroon + HAmza + ABunasar + Naveed + Hassan.

Takeaways:

  • The initial PCA ONGC defacement contained the statement “We were sleeping but not dead”.
  • The initial PCA ONGC defacement contained the tags “HAroon + HAmza + ABunasar + Naveed + Hassan.”

These “tags” (or attacker aliases) also appear to coincide with relationships between individuals and organizations identified within the Operation Arachnophobia research. Public comments and elicitations by PCA members contained notable commonalities with several of the Operation Arachnophobia personas. The timing of the PCA defacement activity also overlaps dates in which the identified personas may have established personal or professional relationships. Many of the personas also maintained a skillset specific to web service and web application exploitation.

Abunasar Khan:

One of the primary personas we identified as being associated with an organization that hosted and served as BITTERBUG command and control, was a Pakistani hacker named Abunasar Khan. As outlined in the Operation Arachnophobia research, Khan maintained certain associations with a Pakistan-based VPS provider VPSNOC, a subdivision of Digital Linx.2abunasar.net:new.htmlKhan was involved in hacking activities since at least 2007, and his website (abunasar.net) has referenced “Antisec” since at least April of 2010. Currently, the page “abunasar.net/new” has an HTML title tag of “Alive” and page content that simply states “Not Dead”.

hamza-abunasar

Abunasar Khan also maintains a Google+ profile, and included in his “circle” is former Tranchulas Lead Penetration Tester Hamza Qamar.

Takeaways:

  • Pakistani hacker Abunasar Khan was associated with BITTERBUG infrastructure within the Operation Arachnophobia research.
  • Abunasar Khan currently maintains abunasar.net and has likely done so since 2004.
  • Abunasar Khan was observed conducting hacking activities as early as 2007.
  • Abunasar.net has reflected an affinity or affiliation with AntiSec since 2010.
  • Abunasar.net currently contains a similar reference to an early PCA defacement, with a unique alternative “Alive/Not Dead”.

Muhammad Haroon:

According to Muhammad Haroon’s LinkedIn profile, between June of 2006 and May of 2009 Haroon was employed by Tranchulas in Islamabad, Pakistan. Haroon’s resume details an advanced penetration testing skill set, as well as web application security testing based on OWASP standards. Haroon is also listed as the OWASP Chapter leader in Pakistan.

ALL THREE

Haroon has been credited for identifying zero day vulnerabilities and specifically references his participation within Chase.org.pk, presenting on spear phishing research in 2007 and WEP cracking and SQL injection techniques at the “Hackers Convention” in 2009. The Hackers Convention 2009 was an event promoted by Tranchulas CEO Zubair Khan at the Air University auditorium in Islamabad. Haroon includes a YouTube link within his resume that consists of a Dawn News interview with Zubair Khan who summarizes the event. Note the Youtube profile “iamviewer1” has only five public videos, two of which are newscasts associated with the PCA defacements.

Event

The Chase 2009 Conference on Hacking and Security was held from November 6th – 10th, 2009 in Lahore, Pakistan. During the event, various training sessions were offered. Within Training Track 3 “Web Application Hacking and Vulnerability Analysis”, Mr. Muhammed Haroon and Mr. Hamza Qamar were scheduled to teach a day long course on various web service and web application hacking techniques.

Chase 2009

According to their public LinkedIn profiles both Muhammad Haroon and Hamza Qamar were employees of Tranchulas at different times. Muhammad (June 2006- May 2009) and Hamza (since 2011). Haroon and Qamar established a professional working relationship as early as 2009.

Takeaways:

  • Muhammed Haroon was employed by Tranchulas between June of 2006 and May of 2009.
  • Muhammed Haroon was listed as the OWASP Chapter leader in Pakistan (Currently in Oman).
  • Muhammed Haroon presented at “The Hacker Convention 2009” an event promoted by Tranchulas CEO Zubair Khan.
  • Muhammed Haroon and Hamza Qamar taught a Web Application Hacking and Vulnerability Analysis course at the Chase 2009 Conference on Hacking and Security.
  • Muhammed Haroon and Hamza Qamar were both employed by Tranchulas at different times.

Hamza Qamar:

Hamza Qamar was initially identified within the Operation Arachnophobia research as a Lead Penetration Tester for Tranchulas in August 2013. After the initial blog-posting, ThreatConnect Research followed up with Qamar via his Tranchulas email address seeking an explanation to many of the inconsistencies identified within Zubair Khan’s official Tranchulas response. Qamar issued a simple denial to altering an image and failed to follow up to any other ThreatConnect Research questions. Qamar’s public Google+ profile has only Abunasar Khan’s Google+ profile within his circle, suggesting some sort of personal or professional relationship.

HamzaQamar

Hamza

 Takeaways:

  • Hamza Qamar was previously employed by Tranchulas.
  • Hamza Qamar interacted with ThreatConnect Research in response to the August 2013 blog.
  • Hamza Qamar taught a web application hacking class with Muhammed Haroon in 2009.
  • Hamza Qamar’s Google+ profile has only Abunasar Khan within his public profile.

Pakistan Cyber Army Linkages to Pakbugs:

Prior to 2009, Pakbugs was an “underground” webforum that hackers used to collaborate and share hacking tactics and techniques, sell malicious code and stolen data. In July of 2010, five Pakistani members of Pakbugs were arrested by Pakistani authorities.

PCA members would issue an official statement in response to the arrest of members of Pakbugs. The statement reaffirmed credit for the original PCA ONGC defacement and striking a “peace deal” between Pakistani and Indian hacker groups, putting end to the bilateral defacement activities. The PCA members indicated that they had warned “Pakbugs” members of the effectiveness of Pakistani authorities “many times”, asking them not to target internal Pakistani sites. PCA referenced the Pakbug members as “kids” and requested that the Pakistani authorities be lenient in their punishment. The PCA statement included a general message of caution for “upcoming hackers” and a stern warning to “Indian hackers” not to exploit the situation by targeting Pakistani sites. The closing of the statement included hacker handles for the respective PCA members “Haroon aka D45H & Hamza aka r4yd3n”.

This official statement suggests that there may have been some level of a mentorship-protégée relationship between elder PCA members and younger Pakbugs members.

A September 2009 F-Secure blog confirms that the Pakbugs user database was leaked on the Full Disclosure mailing list by unidentified whitehats. Later, in a July 2010 blog, Gary Warner posted details regarding a Pakbugs arrest, which included a reference that “someone named R4yd3n was a member at Pakbugs as well, using the email sana2005@fastmail.fm.” Although it does appear that someone was using the “R4yd3n” alias and sana2005@fastmail.fm email within the Pakbugs forum, there are no additional details as to the nature of “R4yd3n’s” membership or activity within the Pakbugs forum.

Takeaways:

  • Pakbugs was an underground hacking forum.
  • In July 2010, Five members of the Pakbugs were arrested by Pakistani authorities.
  • PCA made an official statement in response to the Pakbugs arrests.
  • PCA requested that Pakistani authorities be lenient with Pakbugs.
  • PCA referred to Pakbugs as “kids” and that they had a “childish attitude”.
  • PCA included hacker handles “Haroon aka D45H & Hamza aka r4yd3n” within the official statement.
  • Pakbugs member “R4yd3n” used the email sana2005@fastmail.fm.

“HAmza” aka “R4yd3n” aka “Sana2005”:

A PCA statement regarding the Pakbugs arrest included an interesting elicitation “Hamza aka r4yd3n”, coupling this with the Pakbugs forum full disclosure and Waners blog, we see an association with the Pakbugs alias “R4yd3n” and the email address sana2005@fastmail.fm.

In a posting to Pakwheels (November 23, 2008), a user with a profile named “Sana2005” announced the Indian ONGC PCA defacement ahead of any media reporting. Several hours later “Sana2005” followed up with a request for Pakwheels members to “report to the media if any one of you can.” and “…this news has not been on the media yet.” Most notably were statements which included “we” such as “If we can do this work, you people can at least spread this news.” and “We will appreciate your help.” The post was signed with “PCA” which is assumed to refer to the Pakistan Cyber Army.

snipped Pakwheels

This posting implied that “Sana2005” was claiming responsibility for the defacement and or speaking authoritatively for the PCA. Other Pakwheels postings from “Sana2005” indicate that he lives in Islamabad/Rawalpindi and could be reached on his phone numbers 0312-5151946 and 0345-8571337. The initial posting to Pakwheels announcing the defacement, as well as follow on posts several hours later, suggests that “Sana2005” aka “r4yd3n” is actually PCA’s “Hamza.” The “Sana2005” profile was likely how PCA members were aware of Pakbugs members hacking activities and were able to issuing warnings and guidance regarding the Pakistani authorities.

cellnumber pakwheels

Pakwheels serves as another point of overlap when considering it is also frequented by Abunasar Khan (aka abunasark), as highlighted earlier within the Operation Arachnophobia research. Note in the posting above, “sana2005” makes a reference to an “Abunasar”, however it is unknown if this is a reference to Abunasar Khan or another unrelated Pakwheels user “abunasar“.

abunasar post

Takeaways:

  • Sana2005 posts to the same Pakistani car forum as Abunasar Khan.
  • Sana2005 claims to be in Islamabad Pakistan.
  • Sana2005 appears to be the first to post public details of the ONGC PCA defacement in November 2008.
  • Within a posting Sana2005 refers to “we” and concludes the post with “PCA”
  • Sana2005 can be linked to Pakbugs and the alias “R4yd3n.”
  • The alias “R4yd3n” can be linked to official PCA responses and the aliases “Hamza” and “Sana2005.

PCA CopyCats:

In mid-August of 2010, the personal website of Indian industrialist Vijay Mallya was defaced by Pakistani actors claiming to be associated with the PCA.

zone-h

The defacement included the comment “We are sleeping, not dead” however, even a Pakistani blogger who was previously in contact with PCA members noted inconsistencies from earlier PCA defacements, suggesting the defacement was a copycat attack and the attackers were simply using the PCA banner as a false flag.

On 24 August, 2010, PCA provided a detailed official statement denying any involvement with the Mallya defacement. The PCA specified, “Please do not associate ‘Pakistan Cyber Army which has only three members Haroon aka D45H, Hamza aka R4yd3n and Abunasar aka Abunasar’ with any other hacking groups in Pakistan.” The references to “Haroon”, “Hamza” and “Abunasar” names substantiate the inference to a surname for Muhammed Haroon, and and given names for Hamza Qamar and Abunasar Khan, the usages of the respective aliases “D45H”, “R4yd3n” and “Abunasar” indicate that the PCA members may have been using real names within their official statements.

In May 2011 the Indian Cyber Army would breach pakcyberarmy.net and disclose details of “Shak” one of the Vijay Mallya website defacers.

Previous Research:

As highlighted in his 2008 research of the PCA activity, researcher Nart Villeneuve made observations of the ONGC defacement by analyzing details of an email sent from the Pakistan Cyber Army. Villeneuve’s independent observations from 2008 are consistent with new details uncovered as a result of the Operation Arachnophobia research. We focus on two of Villeneuve’s key observations from 2008 that also apply to our research today.

Observation #1: Rather than deface some random .pk (although they did deface several others sites too) they retaliated by defacing the .in equivalent of the site the HMG defaced. To me, this indicates skill above the scriptkiddie level.

The PCA attackers claimed that they planned and directed their attacks to deface ONGC in retaliation to the Indian defacement of the Pakistani Oil & Gas Regulatory Authority. If the PCA attacks against the ONGC were not opportunistic and indeed planned, this may suggest that the PCA attackers were more coordinated and sophisticated than run of the mill “script kiddies.” Many of the personas identified within the Operation Arachnophobia research have previously worked in proximity of one another and possess the skill set to conduct defacement activity.

Observation #2: They are self-proclaimed “whitehats” whose motivation appears to be revenge and nationalism.

Within the email claiming responsibility, PCA members also made nationalistic statements such as, “This is just a matter of our nation Pakistan” and “…Pakistani’s should really be proud of this…” as well as “…plus it shows we Pakistanis can do it.“ The PCA’s claim that they are “whitehats” is also consistent with the public profiles of many of the personas identified during the time of the 2008 defacement, in either their professional employment or personal research.

Of the personas identified within the Operation Arachnophobia research, many of them maintain a certain degree of experience and professional security industry certifications. There also seems to be a deliberate and overt element of “white hat” professionalism within the public profiles of some of the individuals and organizations identified.

Conclusion:

We cannot conclusively attribute the personas identified with the original 2008 Pakistan Cyber Army (PCA) defacement activity to the personas detailed in the Operation Arachnophobia research. However, there are notable historic relationships between these individuals and organizations identified within the Operation Arachnophobia research that seemingly match the names, aliases, skillsets, and geographic location of actors who claim to be responsible for the original PCA defacements.

  • ThreatConnect Research has identified overlaps between Operation Arachnophobia (2014) personas, PCA defacement activity and official PCA statements (2008).
  • The alias Haroon may reference Muhammed Haroon a web security professional, previously associated with zero-day research and a former Tranchulas employee.
  • Muhammed Harron attended and presented at a hacker convention organized by Tranchulas CEO Zubair Khan.
  • Muhammed Haroon and Hamza Qamar were both employed at Tranchulas and were instructors for a web security and application hacking course in 2009.
  • The alias Abunasar may reference Abunasar Khan, a Pakistani hacker tied to BITTERBUG infrastructure, Anonymous and Antisec, who also includes the reference “Alive/Not Dead” in a personal website.
  • The alias Hamza may reference Hamza Qamar, former Tranchulas Lead Penetration tester and associate of Abunasar Khan.
  • Members of the Pakistan Cyber Army maintained an unspecified relationship with members of Pakbugs.
  • Pakistan Cyber Army and Pakbugs both maintained a common member “Hamza” who was also known as “R4yd3n” (PCA) and “Sana2005” (Pakbugs).
  • “Sana2005” publicly posted details of an early Pakistan Cyber Army defacement using the term “we” and concluding the post with “PCA” to the same Pakistani auto forum that was also frequented by Abunasar Khan.
  • Pakistan Cyber Army later claimed the defacements were nationalistic in nature, that the group comprised of only three members, and that they were also “white hats”.

Operation Arachnophobia serves as an example of the benefits of cross-industry collaboration. Understanding why and how collaboration can be used as a modern security control assumes a certain level of maturity. As organizations evolve their respective threat intelligence processes and programs, organizations must also seek to mature their ability to procedurally and programmatically aggregate, analyze and act on the threat intelligence they either develop organically or receive from other parties.

If you are interested in learning more about how ThreatConnect can help your organization mature your security team aggregate, analyze and act on threat intelligence, register now for a free account and download our free e-book on Threat Intelligence Platforms for more ideas and use-cases.

Come see us live where we will be presenting Operation Arachnophobia research at:

Recorded Future User Conference

October 21, 2014, Washington, DC

ToorCon San Diego

October 25, 2014, San Diego, CA

Operation Arachnophobia: The Spy-der Who Loved Me

The story of Operation Arachnophobia is not unlike a good spy novel; the characters aren’t who they appear to be, motives must always be questioned and the twists in the plot keep you guessing until the end. Our story begins in early August 2013 with the research blog “Where There is Smoke, There is Fire: South Asian Cyber Espionage Heats Up”. Published in the shadow of ThreatConnect’s public debut and just days after the blog’s release, newly discovered events would reveal notable data points, casting suspicion that there was more to this story than originally observed. For nearly a year, we researched different angles of these events and uncovered substantial evidence of Pakistani involvement and relationships previously unreported.

In the next chapter of our tale, we find FireEye Labs and the ThreatConnect Research Team collaborating on the production of Operation Arachnophobia. Their efforts began at a Memorial Day wedding weekend, topside on the crystal blue waters of the Virgin Islands. A group of former colleagues and their wives would trade old cyber war stories and investigative tradecraft during an afternoon of island hopping, snorkeling and frozen drinks. These industry conversations usually end with the well-intended but rarely executed sentiment of, “we should work on something together,” and this was no exception. Little did they know, only a month later they would indeed find themselves making good on their Caribbean agreement.

You see, analysts and researchers often come across activity they feel would benefit from the perspective of an additional set of eyes. Taking a pragmatic look at today’s threat landscape, we must humbly acknowledge that no one organization can be all places at once; no one organization can observe everything and then deliver ground truth of the events that transpired in a timely manner. This is why teamwork and collaboration within the community are vitally important. We must be willing to come together and share knowledge if we expect to be effective in deducing modern cyber threats.

Although our story doesn’t include a chase scene, exploding cufflinks or an underwater swordfight, Operation Arachnophobia serves as an example of how two organizations can come together to make sense of technical and non-technical observations. Building off of last year’s research, ThreatConnect Research and FireEye Labs team expanded on the initial analysis of a custom backdoor, later to be dubbed BITTERBUG by FireEye Labs. Analysts would detail BITTERBUG functionality and highlight notable changes across BITTERBUG samples before and after the original August 2013 ThreatConnect Research blog. In addition to focusing on the malware capability, the ThreatConnect Research/FireEye Labs team would also look at the infrastructure used in the BITTERBUG activity to uncover additional commercial Pakistani connections. The team would also identify Pakistani-based personas affiliated with these commercial entities that also appear within each others’ social networks.

To download the Operation Arachnophobia report – register here. All of the indicators associated with BITTERBUG activity have been shared within the ThreatConnect Common Community Incidents 20130731A: South Asia Cyber Espionage Heats Up and BITTERBUG Threat.

Join us for a webinar in September featuring myself and Mike Oppenheim, FireEye Principal Threat Intelligence Analyst. The webinar will be held Tuesday, September 24, 2014 at 11:00 AM ET and we will present and discuss the findings in Operation Arachnophobia.

Our team here at Cyber Squared already knows the value of community collaboration, and how that is just one part of an organization’s success in fighting our adversaries. Your organization can get started right away, whether you are a team of one or twenty, ThreatConnect is the most comprehensive Threat Intelligence Platform on the market today and can help your organization see immediate benefits and value in fighting the good fight. No more do we have to be in the dark from one another, and together we can work to unravel all of the threats out there working against us. Don’t wait, register now for your free account and trial.

How To Streamline Threat Intel Sharing Before Lunch

We saw recently that GCHQ is poised to create a threat intelligence sharing community between public and private organizations in the UK. We applaud this effort and hope that more organizations follow suit. In May, we launched a European Community of Interest  to achieve a similar goal of bringing together public and private organizations.

A challenge that many organizations face is how to establish an sharing community to collaborate within your organization or with other groups. With ThreatConnect, it’s easy to create a collaborative community. We allow any Team or Enterprise Subscribers, as well as Partners, to create a public or private community, a process that usually takes 30 minutes or less. For those who want a private platform to discretely build their own communities, we offer private cloud and on-premises deployment options as well. Here are a few steps that we followed to create our public and private communities.

Characterize the need:

  • Before standing up a ThreatConnect community, you need to understand the problem you are trying to address. Determining if the community will be addressing a general set of threats, or perhaps focused around threats to a specific topic, event or geography.

Determine Community Privacy Policy:

  • A community privacy policy allows the owner to choose whether they will require publicly attributable user profiles or anonymous pseudonyms.  Many of our more mature ThreatConnect Communities use publicly attributable profiles because the users have pre-established working relationships and want to know who they are collaborating with.

Customize Your Community:

  • With our latest release, we allow any organization or community to customize their user experience to their existing processes and procedures. With the Attributes 2.0 feature, users can create and order their own attributes for indicator groupings in addition to individualized indicators. Additionally, with “Security Labels” users can customize labels for their organization and any of their communities.  Security Labels can then be applied to indicator groupings, individual indicators and attributes in accordance with organizational and community requirements. These labels can be used classify information within ThreatConnect and either allow or restrict what content and context is shared when it is time to publish information externally.

Establish Community Rules & Policies:

  • ThreatConnect allows users to customize rules and policies to suit them, they can be as simple as the rules of “Fight Club” or more complex if needed. These policies establish the guidelines of how the community will interact with and protect one another as well as the way information that is shared.

Invite Your Community Members:

  • Building your ThreatConnect community is as easy as sending an invitation, not unlike many other social media platforms. Once your community is operational, you may choose to delegate control to others using granular permissions to establish a variety of roles for your ThreatConnect community members.

Start Sharing:

  • ThreatConnect started with a vision of developing a platform for anyone to aggregate their threat intelligence data, analyze it quickly, and act against threats. More than just a sharing platform or threat intelligence feed, we allow our users to create and analyze threat intelligence, distilling the most relevant information from the complex security challenges that are facing organizations today. We are thrilled to see more public and private sector organizations draw closer within communities and share their threat intelligence and are hopeful that ThreatConnect will be recognized as the threat intelligence platform of choice as those communities mature.

For more information on our communities feature or on how to stand up your own community within ThreatConnect contact us today! Register for a free account to get started.

Learn more about how community collaboration can help enrich your threat intelligence data and more.

Piercing the Cow's Tongue: China Targeting South China Seas Nations

Executive Summary:

The term “Cow’s Tongue” is a reference to the Chinese recognized nine-dashed line which demarks a highly contested region also known as the South China Sea (SCS). Between July 2013 and May 2014, the ThreatConnect Research Team identified and shared multiple instances of Chinese Advanced Persistent Threats (APT), targeting numerous Southeast Asian entities, with our ThreatConnect community members.  The perpetrators of these attacks utilized malicious attachments containing subject matter associated with many Southeast Asian related topics such as military doctrine and maritime operations. These efforts are likely the direct operational result of the People’s Republic of China (PRC) government’s interest in gaining intelligence connected to the deep-rooted, multi-national disputes that are ongoing in the South China Sea (SCS) region. A sampling of the many weaponized documents reveals sensitive classification markings and candid insights within certain decoys, suggesting that these documents had been previously obtained by Chinese cyber operations against commercial, diplomatic, and military targets associated with the region and then used as bait for further targeting.

Significant real world events such as clashes between China and other nations within the SCS, noteworthy popular public demonstrations against regional Chinese aggression, U.S. diplomatic shows of support to opposition of China’s growing assertiveness, attempts by Southeast Asian nations attempts to draw outside influence to counter Chinese pressure in maritime territorial disputes, and Chinese military posturing in the East China Sea, will serve as a catalyst for Chinese cyber espionage, of which will likely continue against Southeast Asian and western military and diplomatic targets in addition to any commercial entities that maintain economic interests within the region.

As newsworthy events within the SCS have unfolded, ThreatConnect Research has consistently aggregated and analyzed details of targeted attacks using related bait documents directed against SCS nations. ThreatConnect Research has shared this threat intelligence with ThreatConnect Communities, allowing members to quickly collaborate and act on this information. Organizations that maintain equities within the region are encouraged to develop or leverage threat intelligence within ThreatConnect to monitor the threats that are actively using cyber espionage to influence their strategic interests.

ASEAN Talking Points Exploitation:

Technical Analysis:

In late August 2013, ThreatConnect Research identified a weaponized CVE-2012-0158 Microsoft Word document exploit that was likely originally authored by Hoang Thi Ha, an Association of Southeast Asian Nations (ASEAN) Senior Officer. ASEAN is a geo-political and economic organization of ten countries located in Southeast Asia, which was formed on 8 August 1967 by Indonesia, Malaysia, the Philippines, Singapore and Thailand. Since then, membership has expanded to include Brunei, Burma (Myanmar), Cambodia, Laos, and Vietnam. Its goals include accelerating economic growth, social progress, and cultural development among its members as well as the protection of regional peace and stability and opportunities for member countries to peacefully discuss differences.

The document was related to an early stage, internal talking points memo that was prepared for the Special ASEAN-China Foreign Ministers’ Meeting held in Beijing, China from 28 – 30 August 2013. This malicious document, “Talking Points on SCS (26 August 2013).doc” (MD5: 38391CE0A667979EC69F732DBE610AFA) was engineered to drop a “Naikon” APT implant variant (MD5: 69C173C122B0A653CCFD74F2BC953C64) that calls out to the malicious command and control (C2) domain free.googlenow[.]in.

According to document properties, the talking points document was created on the 26th of August, meaning the attackers likely maintained persistent access to the ASEAN networks prior to that date, then accessed a computer or storage medium that housed the draft document, exfiltrated the legitimate document, weaponized it with an exploit and payload implant, then finally conducted secondary targeting operations, all within the 48-hour window leading up to the meeting on 28 August.

DECOY_Talking_Points_on_SCS__26_August_2013__docx__Compatibility_Mode_

During this meeting, it was agreed that discussions on the development of the Code of Conduct of Parties in the South China Sea (CoC), which aims to be a rule-based framework in managing the conduct of parties in the SCS, would commence in September 2013. This would coincide with the 6th ASEAN-China Senior Officials’ Meeting on the Declaration on the Conduct of Parties in the South China Sea (6th ASEAN-China SOM on DOC).

Infrastructure Analysis:

ThreatConnect Research analysts were able to export historic resolutions by pivoting on the malicious domain of interest and filtering on DNS resolutions as a relation type. In the following example, ThreatConnect Research simply applied a frequency analysis of the malicious free.googlenow[.]in resolutions to city and country. From August 2013 to May 2014, ThreatConnect Research analysts identified numerous resolutions to IP addresses hosted in Kunming, China and Hong Kong, followed by cities within the US and then Australia. The attackers utilized this dynamic infrastructure as a means of “digital mobility” to circumvent network defenses and frustrate the analytic and investigative processes.

resolutions-ip-map

Mapping adversary infrastructure iteratively within ThreatConnect allows netDefense personnel to map and model the infrastructure in which the adversary is likely to use over time. Organizations are then better enabled to develop policies and access controls, not only around infrastructure such as domains or IP addresses, but also attributes associated with that infrastructure such as Country, Service provider or Autonomous Service Number. ThreatConnect domain tracking coupled with Farsight Passive DNS Database (DNSDB) integration allows analysts to not only track adversary infrastructure in real time but to build historic timelines and patterns of malicious infrastructure resolutions for retrospective analytic use cases.

free-google-in

The malicious domain googlenow[.]in is registered by the email address ivyfatima.ferrer@yahoo.com. ThreatConnect Research analysts established a ThreatConnect Track, using integrated Reverse Whois and Registrant Alerts data services from DomainTools, around unique adversary selectors, allowing analysts to identify other malicious domains that may have been registered in the past, as well as enable system alerting of any domains that may be registered in the future.

free-google-all

In this case, the email registrant ivyfatima.ferrer@yahoo.com was used to register other associated malicious Naikon APT domains such as googledoc[.]in and googleoffice[.]in. These respective domains had several associated sub-domains that all had their own domain resolution histories.

Fatima

The faux “ivyfatima.ferrer@yahoo.com” email address was likely created to masquerade as the legitimate email address belonging to the real Ivy Fatima Ferrer, an Assistant in the Department of Foreign Affairs, ASEAN, who uses the real email address of “ivyfatima_ferrer@yahoo.com”. In the example below, ThreatConnect Research was able to validate that Ivy Fatima Ferrer uses her personal Yahoo email address for ASEAN related business.

ivy_ASEAN_xls_blur

Individuals and organizations should avoid using free personal webmail for work related matters as it limits the ability for organizational netDefense providers to deliver security services around corporate assets. Also, converging public/private accounts may also increase the surface area in which persistent adversaries may target a given user. If compromised, an unwitting user may introduce costly security risks from their personal accounts, personal computing platforms or personal mobile devices into a cooperate network.

Additionally, users who work for organizations that are often targeted, such as ASEAN, should also avoid providing such a specific email to individuals or organizations that are to likely publish attendance rosters that are publicly available. Such rosters serve as excellent targeting lists for attackers to use within spearphishing operations.

Classified Filipino Document Exploitation:

ThreatConnect Research has identified significant targeting of Filipino military and diplomatic entities by China based threat groups. One such incident contains indicators associated with a targeted CVE-2012-0158 exploit that carries a decoy document classified “CONFIDENTIAL”, which was a Letter of Instruction referencing a change of command for Philippines Commander Navy Forces West, who are responsible for an area of operations that includes the South China Sea.

CNFW_change_of_command_doc_EDITED

This document exploit (MD5: 92853AF8C12BEF34A568AE93DBDE792C) drops a Mirage RAT APT payload binary (MD5: C4068DC6A813E9BB0EFFCB0F5517B2FB) to %TEMP%iExplorer.exe. The Mirage RAT executable connects to the dynamic command and control domain us.mylftv[.]com. This C2 overlaps with other suspicious dynamic domains such as philistar.dyndns[.]org and phimodel.vicp[.]net, all of which carry a Philippines themed naming convention, suggesting the likelihood of targeting Filipino interests and introduces the possibility of broader targeting of individuals and organizations associated with Philippines media and news.

Philistar

The ThreatConnect Incident 20140106A: Philippines Air Defense Identification Zone Word Exploit, is another Filipino military themed incident that has been shared within ThreatConnect Subscriber Community. This Incident highlights a targeted CVE-2013-3906 Word exploit (MD5: 3651CA104557572206956C00E4B701B7) that downloads a Mirage self extracting dropper executable (MD5: 1DCD7489F14362BFA96074A64A16D215) from the URL http://mirefocus[.]com/kb2484033.exe. This downloaded payload deployed a Mirage RAT implant (MD5: 3532D7F41D162D0F1B1484938C5A34BA) that connected to the C2 domain spacewing1.vicp[.]cc. This dynamic C2 overlaps with other known Filipino related dynamic domains, such as the sinkholed domain philippine.dyndns[.]org and the domain philippineairlines.dyndns-server[.]com.

triad-resolutions

In September 2013, ThreatConnect Research identified a document that dropped malicious software and a decoy associated with Classified Filipino counter terrorism operations labeled as “SECRET”. The decoy contained a tactical terrorism threat briefing report from early September 2013. This document (MD5: 1F0889AC3A7A8872262C04187E7B9849) leveraged CVE-2012-0158 and dropped an implant with an MD5 hash of 7FDCB9B679DE04B8C68C504E3FFCCC89 that initiated C2 communication with the dynamic domain ebookedit.ticp[.]net.

DECOY_Terrorism_Threat_Level_for_September_2013_doc-Fuzzed

The compromise of Filipino documents marked “CONFIDENTIAL” and “SECRET” indicates that classified Filipino government networks have likely been breached. Not only have these classified documents been exploited for direct intelligence gathering activity, but they have also been repurposed by the China-based adversary to conduct secondary follow-on exploitation campaigns.

From a strategic security perspective, this introduces the possibility that regional partners, as well as international partners like the US Departments of Defense and State, who may currently be sharing classified information or participating in joint operations within the Philippines, may also be subject to compromises of classified digitally stored information, or may find themselves subjected to similar secondary targeting operations. Western and regional military and diplomatic organizations should be wary of sharing classified information with their Filipino counterparts until they can ensure that classified communications and handling process are indeed safeguarded within these sensitive environments.

The “Naikon” Targeting Campaign & “HardCore Charlie”:

Additional ThreatConnect Research analysis has identified more document exploits also related to the Philippines Navy. These exploits dropped similar implants interfacing with overlapping infrastructure. The documents were identified as being part of the “Naikon” APT threat campaign. This Chinese APT group primarily targets personnel and organizations who maintain interests within Southeast Asia.

In April 2012, numerous documents were released online by a hacktivist using the online moniker of  “Hardcore Charlie.” These documents appear to have been sourced and possibly stolen from various businesses and governments in different countries, including the United States, the Philippines, Myanmar, Vietnam, and others. The documents were purported to have been taken by Hardcore Charlie from the Beijing based military contractor China National Import & Export Corp (CEIEC). Many of these stolen documents also contained malicious software that initiated C2 communications with domains that resolve to the same infrastructure as the Filipino military themed campaigns described above.

HCC-Incidents-shot

hardcore-xls

Vietnamese Exploitation:

Although we mention a number of examples where Filipino entities have been targeted, ThreatConnect Research has also consistently observed Vietnamese entities being targeted. This includes individuals and organizations associated with Vietnamese energy development and natural resources. A key observation across several of the campaigns is the naming conventions used by the perpetrators and demonstrate a likely interest in several Vietnamese organizations.

MONRE.scvhosts.com and Vietnamese Ministry of Natural Resources

ThreatConnect Research has been tracking the domain “monre.scvhosts[.]com” since December 2012 after enriching infrastructure initially reported within Artem Baranov’s analysis of the Chinese backdoor Zegost. The scvhost[.]com domain was registered by the malicious registrant llssddzz@gmail.com that was also identified as being responsible for registering other malicious C2 domains. This sub-domain has likely been used within targeting campaigns against those associated with the Vietnamese Ministry of Natural Resources (MONRE). The MONRE is a Government ministry in Vietnam which responsible for managing natural resources such as land, water, minerals, geology, environmental protection, waste management, hydrometeorology, climate change, surveying and mapping, and management of costal zones and islands.

monre-fused2

Chinese targeting of the MONRE would be consistent in terms of a standing intelligence collection requirement to obtain insights to offshore oilfield development block contracts, as well as details surrounding the locations of strategic mineral reserves within coastal waters.

VNPT.conimes.com and Vietnam Posts and Telecommunications Group

ThreatConnect Research has been tracking the domain vnpt.conimes[.]com since December 2012, which was also identified as an infrastructure enrichment based on the Zegost backdoor analysis. The conimes[.]com was also was registered by the malicious registrant llssddzz@gmail.com. This sub-domain has likely been used within targeting campaigns against individuals and organizations associated with the Vietnam Posts and Telecommunications Group (VNTP). The VNTP is a telecommunications company and the national post office, which is owned by the Vietnamese Government. VNPT is listed as one of the seven largest businesses within Vietnam, which also owns the mobile telecommunications providers VinaPhone and MobiFone.

VNPT-fused

Chinese targeting of the VNPT would be consistent in terms of a standing signals intelligence collection requirement to remotely obtain digital communications. Remote access to a centrally controlled mobile telecommunications service provider would allow Beijing to leverage a significant voice, data and SMS intercept capability within Vietnam.

PVEP.scvhosts.com and PetroVietnam

ThreatConnect Research has been tracking the domain “pvep.scvhosts[.]com” since December 2012, which was also identified as an infrastructure enrichment based on the Zegost backdoor analysis. This sub-domain has likely been used within targeting campaigns against those associated with PetroVietnam (PVEP). PetroVietnam is the trading name of Vietnam Oil and Gas Group which is wholly owned by the Vietnamese central government. It is responsible for all oil and gas resources within the country and has become Vietnam’s largest oil producer and second-largest power producer.

PVEP-fused

Remote Chinese access to the largest Oil & Gas producer within Vietnam would allow Beijing to gain candid insights to strategic business transactions such as PVEP licensing rounds, contract negotiations, energy exploration, and ongoing oilfield development operations. While the PVEP enterprise may have served as an initial target, over time attacker motivations shift as targets of opportunity present themselves. For example, the Lan Do and Lan Tay gas fields and subsea pipelines are jointly owned by organizations such as British Petroleum and ConocoPhillips and supported by sub-contractors, all of whom are affiliated with majority held PVEP projects. Together, these organizations could easily fall victim to a single threat from one organizational point of entry due to the interwoven and integrated nature of the oil and gas industry’s business operations.

TTXVN.gnway.net, TTXVN.net and Thong Tan Xa Viet Nam (Vietnam News Agency)

ThreatConnect Research has been tracking the malicious C2 domains “ttxvn.gnway[.]net” since February 2014 and “www.ttxvn[.]net since December 2013.

ttxvn-incident

These sub-domains have likely been used within targeting campaigns against individuals and organizations associated with Thong Tan Xa Vietnam (TTXVN), an official Vietnamese Government Agency and the official news provider. As the central news agency for the country, the Vietnam News Agency (VNA) is responsible for collecting and distributing news.

TTXVN-fused

Chinese cyber espionage directed against major global media outlets is a consistent pattern that was first publicly highlighted in 2013 when media organizations such as the New York TimesWall Street Journal, Dow Jones and Washington Post announced that they all were victim to Chinese cyber espionage. Remote access to individual journalists, as well as larger media organizations, allow attackers to obtain candid insights to sensitive information such as journalists’ sources or the production schedules of news stories that may be perceived as negative or derogatory to China.

ThreatConnect & Recorded Future Joint Collaboration:

Armed with this analysis, ThreatConnect Research shared our findings with our friends at Recorded Future. Recorded Future’s web intelligence platform is able to leverage public sources of news and social media events to visualize, scale and scope geo-political events within the SCS across a timeline. The Recorded Future team identified publicly available open source content that either pre-dated or post-dated the espionage activity that was analyzed and shared by ThreatConnect.

RF-TC-FusedSee the interactive Recorded Future timeline here

When we overlay Recorded Future’s open source research with technical analysis developed within ThreatConnect, we can visualize the notable events surrounding the South China Sea. When aligned along a timeline, we then can make inferences as to the likely cause and effects in which attackers may have used network exploitation campaigns to leverage information from several South China Seas nations. These complementary views deliver key perspectives that analysts may leverage to better understand context and deliver effective decision support for todays technical and business leaders.

Likely Attacker Motives:

History of Conflict in the South China Sea

According to the think tank, Council on Foreign Relations, China, Taiwan, Vietnam, Malaysia, Brunei and the Philippines all have historical territorial claims in the South China Sea, particularly over rights to exploit oil and gas reserves. The Philippines and Vietnam have most prominently disputed Chinese territorial claims. Vietnam and the Philippines consider territories in the South China Sea important to national security, trade routes, traditional fishing grounds and a source of offshore energy resources.

Vietnam and the Philippines have supported the U.S. pivot to Asia, while also reaching out diplomatically to garner support to counter China’s growing aggression in the SCS. The Philippines have been utilizing assistance from Japan and the U.S. to augment its defense and maritime law enforcement capabilities while Vietnam looks to India and Russia to counter China in the region. Both countries also plead their case in the SCS dispute to ASEAN.

In early 2014, the Philippines went to the United Nations to arbitrate their dispute over China’s nine-dashed line, which has been widely considered a weak basis for extensive Chinese claims in the SCS. This increased tensions with China, who has been insistent on negotiating territorial disputes in the SCS with other countries individually.

International Oil Interests in the South China Sea

According to the U.S. Energy Information Administration (EIA), “Asia’s robust economic growth boosts demand for energy in the region projects total liquid fuels consumption in Asian countries outside the Organization for Economic Cooperation and Development (OECD) to rise at an annual growth rate of 2.6 percent, growing from around 20 percent of world consumption in 2008 to over 30 percent of world consumption by 2035. EIA expects China to account for 43 percent of that growth. With Southeast Asian domestic oil production projected to stay flat or decline as consumption rises, the region’s countries will look to new sources of energy to meet domestic demand. China in particular promotes the use of natural gas as a preferred energy source and set an ambitious target of increasing the share of natural gas in its energy mix from 3 percent to 10 percent by 2020. The South China Sea offers the potential for significant natural gas discoveries, creating an incentive to secure larger parts of the area for domestic production.”

China ADIZ in East China Sea

On 23 November 2013, the New York Times reported that “the Chinese government claimed the right to identify, monitor and possibly take military action against aircraft that enter a newly declared “air defense identification zone,” (ADIZ) which covers sea and islands also claimed by Japan and threatens to escalate an already tense dispute over some of the maritime territory.” Following that the New York Times reported that “two long-range American bombers flew through contested airspace over the East China Sea, days after the Chinese announced they were claiming the right to police the sky above a vast area that includes islands at the center of a simmering dispute with Japan.” DoD officials claimed this was a training exercise scheduled long in advanced of China’s newly declared air defense identification zone. According to a Japanese report in late January 2014, China is considering declaring a new ADIZ over the SCS, a move likely to increase tensions in the area.

Recent Tensions in the South China Sea

In May of 2014, nearly a week after China National Offshore Oil Corporation drilling rig (HD-981), deployed 120 nautical miles off the coast of Vietnam in an area that Vietnam claims is within its exclusive economic zone, Vietnamese officials revealed a video of Chinese vessels using water cannons and ramming Vietnamese fishing ships. This came just a day after Philippines authorities seized a Chinese fishing boat, eventually charging its crew for poaching endangered sea turtles near the Parcel Islands. This recent clash has caused regional uncertainty and instability, both of which have negatively impacted the Vietnamese stock market with a significant 13% decline.

Regional entities are not the only ones to fall victim to increased Chinese aggression within the SCS. In December 2013, China deployed its first aircraft carrier, the Liaoning, to the SCS. According to reports, during this deployment, the USS Cowpens, A U.S. guided missile cruiser operating in international waters within the SCS was forced to take evasive action on December 5, 2013 to avoid a collision with a Chinese warship maneuvering nearby. The incident came as the USS Cowpens was operating in the vicinity of the Liaoning.

Conclusion:

As fissures erupt along geographic boundaries within the SCS, those affiliated with regional interests should expect to see an increase in cyber activity surrounding real world events. International bodies such as ASEAN and the United Nations, as well as individual nations, should expect to see targeted attacks from sophisticated operators seeking to monitor internal communications or bi-lateral / multi-lateral exchanges between member nations. China’s ability to maintain a remote persistence within these targeted enterprises and exploit information provides Beijing with the agility to influence or counter regional policy developments or international arbitration.

Individuals affiliated with national level military, diplomatic or economic interests within the SCS should seek to safeguard any communications, including classified material, when engaging in information exchanges with their Filipino counterparts. Filipino entities responsible for safeguarding classified information should review their classified networks and validate that there are indeed no network breaches or cross-domain violations. International partners, for example USPACOM or USSOCOM, who may be actively sharing classified data with the Philippines during training exercises or while conducting joint counter-terrorism operations, may want to consider using alternate communication mediums until classified networks and systems can be secured.

As individual SCS nations seek to address China’s growing assertiveness they should be mindful that Chinese cyber espionage remains the primary “low risk, high payoff” tactic of choice for the Chinese. While nations like the Philippines have been the most outspoken against Chinese aggression, SCS nations such as Vietnam are now experiencing the effects of Beijing’s self interest. The intent is clear, not only will China continue to test physical boundaries but will do so by aggressively seeking to position themselves deep within the digital infrastructure and key centers of gravity of SCS nations.

Although western commercial interests may be geographically insulated from the SCS, they are not immune to regional cyber espionage. Industries such as energy, mining, and transportation may find themselves directly or indirectly impacted as regional tensions ebb and flow. It is important for those within these sectors to actively invest in threat intelligence processes as a standard business practice that supports internal information security operations. It is equally important that technical leaders effectively interpret and articulate such regional threats and the context surrounding them to corporate business leaders.

Organizations must assess and acknowledge the likelihood that they may be target, if not compromised, but without adopting a victim mindset. By proactively seeking to routinely acquire and fuse technical and non-technical geo-political context to seemingly isolated security events, organizations can develop a richer understanding of sophisticated threats and their motivations which ultimately enables organizations with stronger cooperate decision support.

If you are interested in leveraging the industries most comprehensive threat intelligence platform to aggregate, analyze and act on threat intelligence, register for a ThreatConnect account and join our communities, access these incidents and the associated signatures. To contact us directly, please reach out to PR@threatconnect.com.