TS/I SI//REL TO CAN , AUS , GBR , NZL, and USA ••• Commun icatio ns Security Establishment Canada Centre de la securite des telecommun ications Canada Hackers are Humans too Cyber leads to Cl leads Safeguarding Canada ' s security through information superiority Preserver la securite du Canada par la superiorite de /'information Canada 1 Security I Communications I ...., "'I" Establishment Canada TSl/ SI//REL TO CAN , AUS , GBR , NZL, and USA Centre de la securite des telecommunications Canada Introductions • • Cyber-counterintelligence • My primaryfocus is MAKERSMARK (Russia) • CSEC - Covert NetworkThreat (CNT) group - New name, same Cyber/CI groupyou know and love - Cyber and traditionalCl sittingside by side - Focusedon Foreign Intelligence,not Information Assurance Safeguarding Canada's security through information superiority Preserver la securite du Canada par la superiorite de /'information Canada 2 TS/I SI//REL TO CAN , AUS , GBR , NZL, and USA 1. 1 Communications Security Establishment Canada Centre de la securite des telecommunications Canada Goals • How do we attribute cyber intrusion sets? • How do we go beyond the hacking face of a CNE program? - Expose management structure, operators - Requirements , technological advances • This presentation portrays only one method - Passive infrastructure tasking/contact chaining - Many other are available Safeguarding Canada's security through information superiority Preserver la securite du Canada par la superiorite de /'information Canad a 3 TS/I SI//REL TO CAN , AUS , GBR , NZL, and USA ••• Commun icatio ns Security Establishment Canada Centre de la securite des telecommun ications Canada Initial Seed • Infrastructuretasking - Mostlyexposedthroughmalware/contentdelivery • Careful and manual monitoringof anomalous networksessions • Nothingfancy • Not Web 2.0, but it works Safeguarding Canada's security through information superiority Preserver la securite du Canada par la superiorite de /'information Canada 4 TSl/ SI//REL TO CAN , AUS , GBR , NZL, and USA ••• Commun ications Security Establishment Canada Centre de la securite des telecommun ications Canada Overview • MAKERSMARK Misuse of OperationalInfrastructure Poor OPSEC practices Safeguarding Canada's security through information superiority Preserver la securite du Canada par la superiorite de /'information Canada 5 TS/I SI//REL TO CAN , AUS , GBR , NZL, and USA ••• Commun icatio ns Security Establishment Canada Centre de la securite des telecommun ications Canada MAKERS MARK (Russian CNE) Designedby geniuses Implementedby morons Safeguarding Canada ' s security through information superiority Preserver la securite du Canada par la superiorite de /'information Canada 6 TS/I SI//REL TO CAN , AUS , GBR , NZL, and USA 1. 1 Communications Security Establishment Canada Centre de la securite des telecommunications Canada MAKERS MARK • The MAKERSMARK less attributed(LA) systemsare reallywell designed • This has not translatedinto securityfor MAKERSMARKoperators • PersonalbrowsingthroughLA systems - Workshops,ORBs, and controllers • Developmentshop infectedby crimeware - 4th party collection Safeguarding Canada's security through information superiority Preserver la securite du Canada par la superiorite de /'information Canada 7 TS/I SI//REL TO CAN , AUS , GBR , NZL, and USA ••• Commun icatio ns Security Establishment Canada Centre de la securite des telecommun ications Canada MAKERSMARK: Less Attributed Overview . SIGINT Intercept Spoofe d Source IP MAKERSMARK Safeguarding Canada's security through information superiority Preserver la securite du Canada par la superiorite de /'information Canad a 8 TS/I SI//REL TO CAN , AUS , GBR , NZL, and USA 1. 1 Communications Security Establishment Canada Centre de la securite des telecommunications Canada MAKERSMARK: Misuse of Infrastructure • Less Attributableinfrastructureused for highly attributablepurposes: - Hostingimplantcallbackservers - Live testingof new implantprotocols - Collectingexfiltration • This is not CNE best practices Safeguarding Canada's security through information superiority Preserver la securite du Canada par la superiorite de /'information Canada 9 TS/I SI//REL TO CAN , AUS , GBR , NZL, and USA 1. 1 Commun icatio ns Security Establishment Canada Centre de la securite des telecommun ications Canada MAKERSMARK: Misuse of LA Systems • PersonalSocial Networking - Vkontakt - (mail/inbox/bk).ruaccounts • PersonalEmail y'/,-,; ~...r. - Webmail/POP - Personalretrievalthroughmasquerading infrastructure ~~ /If / , .II'/ W .fr -11 1· • Personalweb browsing Safeguarding Canada's security through information superiority Preserver la securite du Canada par la superiorite de /'information Canada 10 TS/I SI//REL TO CAN , AUS , GBR , NZL, and USA 1. 1 Communications Security Establishment Canada Centre de la securite des telecommunications Canada MAKERSMARK: 4th party collection • Implant development shop infected by GUMBLAR botnet - Crimeware - Sends pharmaceutical spam • Exfiltration to Canadian "bullet proof' host - HTTP/FTP logins - Collection of MM operator browsing habits - MM LiveJournal accounts included in collection Safeguarding Canada's security through information superiority Preserver la securite du Canada par la superiorite de /'information Canad a 11 TS/I SI//REL TO CAN , AUS , GBR , NZL, and USA 1. 1 Communications Security Establishment Canada Centre de la securite des telecommunications Canada Closing Remarks • You have to keep an eye out - A lot of value can be lost by not followingleads - Typicallythe windowto exploitinformationis short - Knowingwhat to lookfor is half the battle • These exploitationopportunitiesdon't last forever • As a CNE programmatures,so will its OPSEC Safeguarding Canada's security through information superiority Preserver la securite du Canada par la superiorite de /'information Canada 24 TS/I SI//REL TO CAN , AUS , GBR , NZL, and USA ••• Commun icatio ns Security Establishment Canada Centre de la securite des telecommun ications Canada Questions? Safeguarding Canada ' s security through information superiority Preserver la securite du Canada par la superiorite de /'information Canad a 25