Subscribe
Share
Share
Embed
Threat Talks is your cybersecurity knowledge hub. Unpack the latest threats and explore industry trends with top experts as they break down the complexities of cyber threats.
We make complex cybersecurity topics accessible and engaging for everyone, from IT professionals to every day internet users by providing in-depth and first-hand experiences from leading cybersecurity professionals.
Join us for monthly deep dives into the dynamic world of cybersecurity, so you can stay informed, and stay secure!
Kind: captions
Language: en
In today's wars, cyber attacks are a crucial part.
We've seen this, for example,
in the war on Ukraine by Russia.
So it's about time we actually go deep
dive into how this works
and what these groups do
and how these countries do it.
And today's subject is about Russia.
So welcome to Threat Talks and here
from the Security Operation Center
at ON2IT.
We bring you Threat Talks the Deep Dive
and the subject is the Seashell Blizzard.
Let's get on to it. Welcome to Threat Talks.
Let's delve deep into the dynamic world
of cybersecurity.
And here to help me create this episode
today is Yuri Wit.
He is one of our esteemed members of the
Security Operations Center right here.
And he specializes in figuring out
how these bad guys actually
work, what they do, and what
amazing things they come up with.
Yuri, welcome.
Thank you for having me.
And on the other side,
he's going to represent the attacker
and the hackers and on the other side,
the good guy.
Rob Maas. He's the Field CTO of ON2IT.
And we always turn to Rob
if we want his advice on
how to fend off these awful attacks
that you are, well, not doing
maybe. You would know.
Gentlemen, welcome.
First of all, I said Seashell Blizzard.
But that may not resonate with
everybody, but that's the main name
we chose for this episode.
But they go by a lot of names.
I mean, APT 44, Sandworm,
Iron Viking, Electrum.
I probably forget a few.
Who is schizophrenic?
These guys or us in giving them
a different name all the time?
Definitely us.
The main reason for all these
different classifications
with a group are purely caused
by all the different companies
and threat investigators,
whenever they look into threats seen,
they'll apply a different name
to the threat actors,
and then eventually they'll figure out,
hey, we have seen this behavior before,
and they'll start attributing it to the ‘right name’.
[ ] come up with a name
and then after the fact, realize,
oh, it's the same guys as them, Exactly.
And then they already published
their first time on this.,. Yeah.
And themselves, I mean, we're going to
spoil the end of the episode a little bit,
maybe, but these guys brag
about their achievements. A lot.
Yeah. Yeah. So. And do they use
different names as well?
No. Not really.
They're pretty consistent in that regard.
Usually whenever they announce
their attacks, which they often do,
they'll go under the alias of Cyber Army
of Russia Reborn, and they use a
Telegram channel of the same name,
to personify themselves as a hacktivist
group fighting the good cause.
So when we’re talking
about a group like this,
what do we actually mean?
Because we probably have come to
the conclusion that they are the same
because they use the same tactics,
same... Procedures.
Yeah. Same everything.
Their infrastructure is
the same all the time.
But is this the government of Russia?
Or is it, do they hire them,
are these guys
working from home, is there an office
building somewhere in Moscow?
Do we know?
Well, we will never know for certain.
That's the thing with all APTs globally.
However, with the amount of attacks
that we've seen from this group,
or at least attacks that follow
the same behavior of this group.
We can highly likely attribute them
to one of the GRU
actual intelligence organizations
of the Russian military.
They go, within the Russian military,
they go by the military unit
classification 74455.
Which doesn't really roll off the tongue,
which is why MITRE has opted to call them
the Sandworm Team or
Sandworm, or a variation of that.
Okay.
And what can we say about
what they achieved or did wrong
so far? I mean the Sandworm,
I think we know them
from a world wide spread in
harbors that brought down... Petya.
Yeah.
For example, they have done that as well.
Yeah.
Well, their main focus has
always been on attacking
Ukrainian businesses
and Ukrainian organizations.
The NotPetya attack that was
seen in 2017, that shut down
basically the global shipping industry
was actually a side effect of an attack,
of a supply chain attack
that the group did on
Ukrainian organizations.
It was just a regular worm
wiper malware, it was a
ransomware, hence the name
NotPetya, because Petya was a ransomware.
This was a more refined version
of the Petya ransomware
that was purely used for wiping
and making, as much of...
Yeah, wiping, making damage,
making sure the systems are down.
So, nothing can get work.
Purely focused on disruption.
Which, spread itself, through SMBv1 links
to all the other major shipping ports
around the world, causing massive
damage, even greater
than what the group apparently
seemed to have intended.
Their initial target was purely
just Ukrainian businesses.
Yeah, I thought it was, injected by
an update in a kind of accounting
software for, to talk to
the Ukrainian government.
Yeah. Yeah. No, we don't
know this for sure
because the details get a little bit fuzzy
at this point.
But, a lot of security researchers,
are confident that this initial attack
vector was the expectation
of update service for this
accounting software,
which then automatically spread itself
through automatic updates to the software
used by all these Ukrainian businesses.
That was way before
the war on Ukraine.
Yeah.
Because now, Rob, in Ukraine
apparently they are,
we always see here that the
Ukrainians are actually quite good
in defense, in cyber defense
and it’s not because the Sandworm, the,
whatever name we do choose for them here,
is not attacking them. Correct.
But we've seen impact.
Yeah.
Well, what I think Ukraine is
doing well here is focusing on
what really is important.
If I can go to Zero Trust,
I would say they know their protect surfaces.
We started with Rob and it’s about Zero Trust already.
But it’s like the energy, the power plants,
they're really protecting them
well, maybe they even airgap them
to prevent these kinds of attacks.
But by knowing that these are targets for
this group, I'm not going to say a name
because I don't know
which name it is anymore.
Well, let's say we say
Seashell Blizzard for this....
Seashell Blizzard is really focusing
on these kinds of
industries, and you know that,
then you also know,
okay, I need to take measures there, and
that's what Ukraine is doing really well, I think.
Yeah, we thought German power,
wind generators, would actually go
down because of the attack.
Probably used for, so Ukrainians
were able to stop the attack,
but other countries... Yeah.
We also did an episode on that.
Yeah, indeed.
All right. So, oh, yeah, and there
was another one that was
the Olympic Games,
the Winter Games in Korea, right?
Yes. What happened there?
A very similar story is,
they were able to compromise a lot of
systems used by the Olympic teams.
And the Olympic Organization,
and just wipe them.
It was purely for disruption purposes.
Or at least that's what we can see.
What do they gain from this then?
Why would you as Russia
want to destroy...
This is probably because the Russians
were eliminated from the games.
Retaliation then.
Yeah. Yeah. Okay.
Yeah, I guess that happens.
Okay. So then let's start
at the beginning of attack.
So is there anything to say
about how they get initial access?
Yes. This group is very notorious for
their very stealthy initial attacks.
Usually when they start attacking a target,
they focus on being as quiet as possible.
They go for very hard to detect
compromised edge infrastructure.
So either firewalls or switches
or whatever is on the edge of the target.
But they do it in a very stealthy way
by not just bombarding them
with continuous exploitation requests.
They very diligently do their research
before they even start attacking.
And then even once they...
They shoot sharp, you might say.
Exactly. Yeah, yeah,
they shoot very sharp.
And then from then on, the moment
that they have initial foothold,
they stay stealthy, they go loud, but they
go loud in a very late stage of their attack.
Rob, from a defense department,
is there something
you can do about that
stealthy thing if they are trying
to figure out your environment
in a stealthy way? So in the
first stages of the Cyber Kill Chain,
reconnaissance. Is there anything to gain?
To a certain extent you can.
We all know LinkedIn.
I know, I think that's a good example.
If you have your company on there,
then probably a lot of employees
are linked to your company
and they state, for example, their job.
And if the job is Windows
Server Administrator,
then you probably know that the company
is running Windows servers.
So you can look for vulnerabilities
for example, in the- [ ]
Well, the information is out there,
so they can use it without
getting noticed, because LinkedIn
is just public information.
So that’s, and you can do something about it.
But that might be restricting your
employees from spreading this information.
Yeah. It's going to be hard.
And even if someone [ ] hire
someone who has done the Windows
administration all these years and
your company rule is do not
say what you're doing here.
I think this really, depending on
the industry, I think this is a Defense,
well, if you're working for the military,
I think this is quite common.
But if you're just a regular organization, then
most of this will just end up on LinkedIn.
Yeah, but what he says is,
they attack at infrastructures.
So the VPN concentrates on itself.
Yeah, for edge devices
you can take some countermeasures.
First of all, if you have, let's pick
the VPN concentrator or the VPN gateway,
don't put them together with your file.
We also discussed this before
because the firewalls
should regulate traffic flow [ ]
been a theme since last year,
your VPN infrastructure, your
security infrastructure is under attack,
so make sure you segment that out as well.
We saw that, it's still going on, but
especially last year we saw a lot of
vulnerabilities for different
vendors, on edge devices.
Firewalls, mainly.
And that was because the firewall was
running not just firewall, was not doing
just firewalls, also a VPN concentrator or
showing a portal like a web server.
And in those applications there were found
vulnerabilities and they were abused,
for example, by Seashell Blizzard.
Yeah. So by.... Yeah. Checkpoint
came out with one recently again.
Yeah, i's still going on,
but one of the countermeasures
you can take is
make sure that those functionalities
are taken off your
security device, so
take them off your firewall,
put them in a different segment so at
least you can have more control
about the flows there. Okay.
So their initial access is really stealthy,
edge devices, so it’s less sending PDFs
and trying to get into the endpoint then.
Yeah.
No, they commonly, go for known vulnerable
machines and they try to exploit vulnerabilities.
They do a lot of zero day
based attacks as well.
I mean, they are a very
competent military unit,
so it's not like they just
find their exploits online.
But, yeah. We've almost never
seen an attack by Seashell Blizzard
where they purposely
used a more loud technique
like phishing or spear
phishing to gain that initial access.
Interesting. Yeah. Okay.
And then the next step
is priviledge escalation.
Yeah, yeah.
Also a very stealthy method.
They primarily focus
on using LOLBin attacks.
So living off the land, meaning
to only use binaries and executables
that are found on the target’s
infrastructure already, and not [ ]
Please explain that a little bit.
So someone is on this
VPN concentrator, so
they gained access to the
operating system there.
Through a zero day.
And then living off the land
means there's tools already installed
on that machine to perform attacks.
Yeah. Why are they there? Well,
with every operating system,
there are a lot of pre-installed tools
and binaries that are just integral to
the functionality of the operating system,
and definitely whatever actual solution
is, is installed on it.
So Rob is not going to say
harden your devices,
because then it doesn't work, because
you also need those tools to function.
Yes. I would argue that.
It’s not .. yes, partly true,
but, for example, I see a lot of PowerShell
still be available for users.
For a lot of systems,
PowerShell is not needed.
That's one side. The other side-
So PowerShell shouldn't even
be on... If it is not needed,
make sure it's not there. Yeah.
And it's just a very simple example.
But also, even if PowerShell is there,
then the user should not be able
to execute PowerShell
if it is just on regular user
and not an administrator,
because probably, the attacker,
once they gained access,
they are there with their
default user first, before they
promote their privileges.
So if you then can limit the use of these tools,
you make it much harder for them.
The last part you can do here
is have an EDR tool installed
that can also check for behavior.
Yeah.
Because it's important to note
that these LOLBin attacks, the reason why
they're called living off
the land, is not because these tools
are inherently dangerous to use.
It's purely due to the fact that all
these tools can be exploited in such a way
to do additional attacks, like enumeration
of the rest of the network.
I mean, if you have ping installed
on your machine,
an attacker compromises
that machine, then ping is available
to use from within that machine
to do a very basic check
on other-
Yeah, given their focus on stealthiness,
I mean, if you would first download
like a second stage thing, that would
probably be detected at some point.
So you want to avoid that
as an attacker. Yeah.
So definitely if you're using EDR systems.
Yeah.
So therefore to make it really hard
and... Yeah, so sounds a bit dangerous.
Or are we confident that
with proper controls
it shouldn't even get to this part,
so we can then close this episode
and it's then up to everybody to...
No, I don’t think there’s... so there's
no such thing as 100% security.
And that's also in this case.
But we can make it much harder.
And I think,... so the things
that we already discussed,
privilege management, making sure
you’re hardening the system,
installing EDR software, also segmentation
briefly discussed in the
previous part of this...
[ ] segmentation being that
if they are on a system that is not,
they have to start all over again
because there is yet another barrier
to get to [ ] Yeah and especially like,
in this case, they want to do damage.
So they probably want to infect
or at least have access
to a lot of systems to make the blast
radius bigger and the effect bigger.
So if you do proper segmentation
or at least make it really hard for them
to get to that radius. Yeah.
Okay.
And then what happens?
Well, we've seen time and time
again in all the engagements
that Seashell Blizzard has been
attributed to or contributed to,
we see that their main goal
is to get access to the group policy
object configuration within
a target’s Active Directory
configuration.
For the 99.9% of our listeners or viewers
that have not ever seen such
a thing, explain: what is that?
So, within Active Directory,
which is the user identity
privilege management tool that basically
every enterprise on earth uses.
There's this thing called GPO, Group
Policy Objects, which programmatically
define certain tools or executables
or services or even permissions,
that need to be configured
on certain endpoints or users.
So very powerful configuration.
Yeah.
It could say PowerShell is not
installed here or I remove PowerShell.
Yeah. That would be configured in the GPO.
And they make use of it or
attack it or what do they do with it?
Well first, so they will perform
their privilege escalation,
try to get the highest rights on
any endpoint that they might find.
And they primarily focus on getting
domain admin rights within a user’s
or sorry, a target’s Active Directory
environment. Domain admin-
When you're talking about endpoints
you mean servers,
it could also be a server, right?
Yeah, server, workstations.
[ ] that’s how they get in,
going through workstations,
but they're going through server side
probably they are on some kind of file
server or indeed
a VPN concentrate or whatever
and try to be administrator there? Yes.
Yeah. Okay.
Yeah.
And then once they have
rights to edit these GPOs,
we see them continuously use
a specific script called Tank Trap.
Tank Trap is a PowerShell script.
Hence locking down PowerShell again.
It's a modified version of an already more
widely known exploit called power GPO abuse.
And the primary purpose of
this script is to deploy software
to all endpoints that are domain joined,
meaning that they are linked
in the Active Directory configuration,
to deploy their wiper software.
So you can literally define a GPO-
They use the system tools
to deploy themselves. Exactly.
Yeah.
It's it's like building your own MDM
for malware.
Talk about living off the land.
Yeah, exactly.
Okay.
So, Rob, this must be good news,
because the only thing we need to do
to make sure that the Russians do
not get us, is disable PowerShell.
Or is that too simplistic?
Well, if they own
the Active Directory in a group policy,
they can easily enable it again.
So I would say-
[ ] ... be deployed.
Yeah. So I would first start
with making sure that they don't
get access to Active Directory.
At least make that
as difficult as possible.
Also again here, segmentation.
It’s why we allow other protocols like LDAP.
LDAP is for example, needed for the authentication.
Hopefully LDAPS, so the secure variant.
Also DNS is needed.
I hope it stays with that, often I see
a lot of other things also being open,
but that will make it really hard
to get access to your Active Directory.
But still, if they have access there,
then hopefully there is also an EDR
tool installed there
that detects malicious behavior.
In retrospect, so more
like a SIEM solution,
what you could do is make sure that
you log all the changes on that machine
and see, okay, but now I see some
potential dangerous changes.
Like the GPO policy.
And then you can act on it,
but that's after the fact.
So that's- We have to revert
to first poking in the SIEM,
then... First go to preventive measures
and then this is your last resort if you fail.
Alright.
We're getting to the last stage
of the kill chain: acting on objectives.
What's to say about that for this group?
It's very simple.
Their main objective always in
every attack has been either
to exfiltrate data, and or
deploy wiper software.
Causing damage and disruption
is primarily
the largest focus of this group
before even the NotPetya
attack in 2017, they were notorious for
continuously attacking the power grid
of Ukraine without really a purpose
of exfiltrating data or deploying
anything else except for just shutting it
all down by implementing wiper software.
Yeah.
Yeah.
So I get that if you want to bring down
the country's infrastructure.
Then you can with more traditional
military force, take a country, I get that part.
But it's also, especially
with NotPetya, it’s so loud.
I mean, why would they do this?
If then I think of Stuxnet.
Where we know, and that
was years ago, right?
So there’s Israel and the U.S.,
they made offline working malware,
to get into Iranian
nuclear research facilities.
And they screwed their sensors.
So the guy thought, hey,
Oh, it's, I don't know, 60 degrees
and in fact it was 70.
And they were trying to change it, and they couldn't
make sense of their sensors, they influenced
the readout of the sensor. Very clever.
It took them years, like five years
or so to figure out, ah, it's the sensor.
it’s the malware on there.
That sounds so much more effective to me
to simply, in a simple way, I mean,
disrupt your opponent,
but they don't do that.
No, no.
Or do they?
Well, no, they don't.
They are very loud,
but that's the point, is they want
to make a statement, is they
disrupt these giant services
and these critical infrastructures
to make a statement saying,
hey, we can do this.
It's really a show of force from this group
towards their opposing states.
Is there anything to do about
this continuity issue, Rob?
Well, hopefully you already
took the measures before,
because the less [ ]
... didn't work, now we’re here
and down.
So if the malware is indeed installed,
so they succeeded in that, then
it's really hard to do anything here.
Of course, you have still hope that
you have your EDR tools, etc.
running that detect it when
this malware is being executed.
But if it is being able to execute,
because everything is implemented
properly, then the only thing
to rely on here is your backup.
And then, start building again.
A backup is the final last resort
security defense tool.
Yeah.
Well, usually for an adversary
it stops here, right?
They have achieved their goal.
They demanded a ransom.
They exfiltrated the data. They....
But not for this group.
No. No.
Whenever this group
finish their attacks
or even before they finish
their attack, successful or not,
they loudly exclaim from all the rooftops
how they did it, or not how they
did it, but what they did.
So your job, the part
‘attribution’ in your job
is really easy with this group.
It's much easier. Yes.
This group loves to flaunt their
successes and even
tell the world that their failures
are actually their successes.
Yeah. Successes.
There was one attack where,
they deployed their CaddyWiper malware,
which is a very, well, not simple,
but generic, wiper malware to just disrupt
as much systems as possible.
And even before the execution
of that CaddyWiper started,
they already announced in their
Telegram channel, their Cyber
Army of Russia Reborn channel
that they did it, that,
telegraphing their success is a
very high priority for this group.
Yeah. Okay.
I thought you use Signal to
announce text. Well, only if
you want to be secure
and they don't really care.
Oh. That's... Yeah.
All right, gentlemen, Rob, some final
words of wisdom maybe about this,
what can we learn from this?
How should we plan our day
differently tomorrow if we're
in the defense department?
Yeah, I think we already had a lot of
tips during this episode that you should
absolutely do, on the bragging part,
if they brag before they executed it,
then be aware of that, hopefully,
and then disconnect your systems.
Make sure that they cannot
pull this switch to...
So we should follow this Telegram channel.
Well, I think, for everyone who is doing security
threat intel group, that's the threat intel team
is really important, because
then you can detect these things.
Yeah.
In this case, it's actually, you can
even use that kind of knowledge
as a... A last resort preventive
measure, I would say.
Yeah, but it's still, it has a
touch of prevention in it.
Yeah, a touch of prevention. Yeah.
All right.
Well on that, gentlemen,
thank you very much for these insights.
Let's implement those measures and hope
that this part of the war doesn't reach us. No.
And to our listeners and viewers,
thank you very much, for tuning in.
If you like this episode, we'd appreciate
if you press the like
and subscribe button,
because it helps us spread the word.
And it will also make sure
that next Tuesday,
you will have our next episode
in your inbox. From headquarters here
at ON2IT.
Thank you once again
and see you next time.
Thank you for listening to Threat Talks,
a podcast by ON2IT cybersecurity
and AMS-IX. Did you like what you heard?
Do you want to learn more?
Follow Threat Talks to stay up to date
on the topic of cybersecurity.