GRU: military unit 29155

11 de October de 2024 Por Leave a Comment

Historically, the Russian GRU military unit 29155 (VCh 29155, 161st Specialist Training Center) has been involved in active measures such as subversion, assassinations or sabotage. Recall that Soviet or Russian active measures refer to covert operations with the aim of influencing the policy or public opinion of third countries. These measures include from activities in cyberspace to “wet stuff” (assassinations, blackmail, sabotage…). Other famous operations of this unit include the sabotage of an arms depot in Czech Republic (2014), a coup in Montenegro (2016) or the attempted poisoning of the Skripals in Salisbury (2018).

Although unit 29155 was known to analysts, its existence jumped to generalist media when this unit was accused of being the cause of the “Havana Syndrome”. This syndrome was identified among U.S. and Canadian diplomats and intelligence personnel stationed in Cuba, in 2016, and its symptoms were replicated in other parts of the world. These symptoms include visual problems, vertigo or cognitive difficulties that manifest, according to those affected, after hearing strange sounds. Since the discovery of Havana syndrome, its origin has been controversial. Different studies have associated it with Russian intelligence activities related to new-generation weaponry, from acoustic weapons to directed energy.

[Read more…]

Proximity operations in cyberspace

11 de June de 2024 Por Leave a Comment

In the field of cyberspace operations, most attack or exploitation operations are remote, i.e. they are carried out using technologies that allow the hostile actor not to be physically close to its target: access via VPN, a malicious email or link that installs an implant in the victim, a remote vulnerability that is successfully exploited, etc. But a small percentage of operations require a physical approach between the hostile actor and its target: these are proximity operations, also called Sneaker Operations or CACO (Close Access Cyberspace Operations).

Crypto AG CX-52. Fuente: WikiPedia.

When not everything was connected to the Internet, proximity operations were almost the only way to access the target’s systems or information; to steal information you had to place a bug or a camera by sneaking into a building at night, modifying a supply chain or placing yourself in a building across the street from the target’s premises, to give a few examples. Some of the signals intelligence acquisition actions required this proximity, and this proximity obviously implied a significant risk of being neutralized, with all the implications that this neutralization can have. Some well-known examples of proximity operations for signals intelligence acquisition involve (allegedly) the French DGSE implanting bugs in the business seats of Air France flights between Paris and New York, the Soviets (allegedly) giving a Great Seal with an implant to the US ambassador to the USSR, or Germans and Americans (allegedly) manipulating Crypto AG cipher devices in Operation Rubicon.

[Read more…]

From intelligence to threat detection

2 de August de 2023 Por

Threat detection is largely based on indicators of compromise. These indicators are observables that we identify during the management of an incident or during an investigation, that we receive from third parties in the form of intelligence feeds, that we download from platforms such as MISP, that we share among working groups… in short, we discover them or they discover them. But where do these indicators come from? In one way or another, indicators, a fundamental part of the characterisation of a threat (actor, operation…), come from intelligence analysis. In this article, we will discuss the path from intelligence gathering to the generation of indicators of compromise to detect a threat. This path is summarised in the figure below:

We all know that the various intelligence disciplines play a fundamental role in detecting threats in cyberspace. In this cyber domain, each of these disciplines (simplified SIGINT, MASINT, HUMINT, OSINT and GEOINT) has a specific weight and value, and forms the basis of what we call cyber intelligence. For example, the role of signals intelligence tends to be much more important than that of geospatial intelligence, and human sources contribute much less intelligence than signals, but much more value if well managed.

read more

Exploiting APT data for fun and (no) profit (IV): conclusions

4 de December de 2020 Por
Post of the serie “Exploiting APT data for fun and (no) profit”:
=> I: acquisition and processing
=> II: simple analysis
=> III: not so simple analysis
=> IV: conclusions

Now you have some tips, evidence-based, for your APT talks (don’t forget to use these tips together with Sun Tzu’s “Art of War” quotes); with some more time, you can get to more stupid or interesting conclusions about threat groups activities, interests and origins. And exploiting other datasets (MITRE ATT&CK, here we go!) We can expand those conclusions.

Some key data we can conclude after this little analysis of data:

  • It seems clear that Russia plays in the APT Champions League. It’s the most active country in all kind of threat activities, from sabotage to espionage or financial gain.
  • The threat group leader is also a Russian one: Turla, operating from almost a quarter century -in this case we can confirm it’s still active- and with targets from a long list of countries and sectors.
  • The most loved by analysts threat group is also a Russian one: APT28. Maybe for this reason is the threat group with more synonyms.
  • The number of threat actors with CNA capabilities has increased during last years, once again with Russia leading the ranking.
  • Apart from classical players, two actors have been particularly actives in the last years: Iran and North Korea.
  • It should be interesting to identify a parameter for threat groups, something like “last time seen”, in order to calculate the years a group has been active.
  • Using different, vendor-dependent names, for the same threat actor is a little chaos when analyzing data. In this sense, a good effort is MISP’s UUID for each group (https://github.com/MISP/misp-galaxy/blob/main/clusters/threat-actor.json#L2434), as @adulau noted.
  • With some imagination and gnuplot you can have your own APT Magic Quadrant for marketing purposes.
  • Disclaimer: this is just a simple blog post, not a scientific paper, so don’t expect non questionable sentences here!
  • And the most important conclusion: AWK is your friend. Remember:

Exploiting APT data for fun and (no) profit (III): (not so) simple analysis

4 de December de 2020 Por
Post of the serie “Exploiting APT data for fun and (no) profit”:
=> I: acquisition and processing
=> II: simple analysis
=> III: not so simple analysis
=> IV: conclusions

Once we have answered some silly & simple questions, it’s time to wonder more complex ones, so let’s imagine…

Are CNA threat actors increasing their activities during last years?

In the simple questions, we have concluded that sabotage and destruction motivations are not the most common among threat groups. But we are interested in these ones. Let’s see them among time:

for i in `grep "Sabotage and destruction" [0-9]*.txt|awk -F: '{print $1}'`; do grep \"meta\",\"date\"\] $i|awk '{print $2}'|sed 's/\"//g';done|awk '{a[$0]++}END{for(k in a){print k,a[k]}}’ >years.cna

Plotting the results, we have:

gnuplot> set boxwidth 0.5

gnuplot> set boxwidth 0.5

gnuplot> set xtics 1

gnuplot> set ytics 1

gnuplot> set yrange [0:5]

gnuplot> plot 'years.cna' with boxes

Since 2012, the number of these threat actors has increased significantly: 9 out of 14 groups in the last eight years, so we can say it’s a growing trend. Out of curiosity , the oldest group with CNA capabilities is dated in 2001. Can you guess its name? Yeah… Equation Group.

[Read more…]

Exploiting APT data for fun and (no) profit (II): simple analysis

4 de December de 2020 Por
Post of the serie “Exploiting APT data for fun and (no) profit”:
=> I: acquisition and processing
=> II: simple analysis
=> III: not so simple analysis
=> IV: conclusions

Once we have processed the gathered information we can start our analysis trying to ask the silly and simple questions that many times we wonder. Let’s go. 

Which are the groups with more synonyms?

The silliest question I always wonder is why we use so many names for the same actor. Which one is the group with more names? Let’s see:

$ for i in [0-9]*.txt; do c=`grep synonyms\", $i|grep -vi operation|wc -l `; echo $c $i;done |sort -n|tail -1

18 233.txt

$

The result is “233.txt”, which corresponds to APT 28, with 18 synonyms; the second one in the ranking, with 16 names, is Turla. Casually, both of them are from Russia (we’ll see later some curiosities about Russia).

Apart from that, a personal opinion: 18 names for the same group! Definitely, once again, we need a standard for threat actor names. This can be your first sentence when giving a talk about APT: where is an ISO committee when it’s needed?

Which groups are from my country?

Well, outside well known actors… how many groups are from my country? Spanish ISO 3166-1 country code is ES, so let’s look for Spanish threat actors with a simple command, as well as threat actors from other relevant countries

$ grep \"country\" [0-9]*.txt|grep -w ES

$ grep \"country\" [0-9]*.txt|grep -w DE

$ grep \"country\" *.txt|grep -w IL

183.txt:["values",183,"meta","country"]	“US,IL"

$

No identified groups from Spain… well, I’m sure this has a technical explanation: Spanish groups are so stealth that they are difficult to discover, and their OPSEC is so strong that, in case of being discovered, attribution is impossible. For sure! But what about Germany? Where is your Project Rahab now? And what about Israel, with only a sad starring together with US? Yes, it’s Stuxnet, but only a single starring… I hope you are as good as Spanish groups: nobody can discover you, and attribution is impossible :) Another sentence for your APT talks: in the group of most stealth countries we can find Germany, Israel… or Spain.

[Read more…]

Exploiting APT data for fun and (no) profit (I): acquisition and processing

1 de December de 2020 Por
Post of the serie “Exploiting APT data for fun and (no) profit”:
=> I: acquisition and processing
=> II: simple analysis
=> III: not so simple analysis
=> IV: conclusions

When attending to talks about APT -or when giving them- sometimes you hear sentences like “most threat actors are focused on information theft” or “Russia is one of the most active actors in APT landscape”. But, where do all those sentences come from? We have spent a whole night exploiting APT data for fun and (no) profit, in order to provide you with some curiosities, facts, data… you can use from now in your APT talks!! :)

Since 2019 the folks at ThaiCERT publish the free PDF book “Threat Group Cards: A Threat Actor Encyclopedia” and they have an online portal (https://apt.thaicert.or.th/cgi-bin/aptgroups.cgi) with all the information regarding APT groups acquired from public sources. In this portal, apart from browsing threat groups and their tools, they present some statistics about threat groups activities (source countries, target countries and sectors, most used tools…). Most of these threat groups are considered APT (at the time of this writing, 250 out of 329, with last database change done 20 October 2020).

But what happens when you need specific statistics or correlations? You can download a JSON file and exploit it yourself:

$ curl -o out.json https://apt.thaicert.or.th/cgi-bin/getmisp.cgi?o=g
[Read more…]

IOCs are dead, long live IOCs!

28 de September de 2020 Por

An Indicator of Compromise (IOC) is defined as a piece of information that can be used to identify the potential compromise of an environment: from a simple IP address to a set of tactics, techniques and procedures used by an attacker in a campaign. Although when we speak of IOC we always tend to think of indicators such as IP or domains, the concept goes beyond this, and depending on their granularity, we can find three types of indicators:

  • Atomic indicators: those that cannot be broken down into smaller parts without losing their usefulness, such as an IP address or domain name.
  • Calculated indicators: those derived from data involved in an incident, such as a hash of a file.
  • Behavioral indicators: those that, from the treatment of the previous ones, allow the representation of the behavior of an attacker, his tactics, techniques and procedures (TTP).
[Read more…]

CNA Tactics: a first proposal

25 de February de 2020 Por

(Editor’s note: this post was originally published in the Spanish version of Security Art Work on 11th November 2019)

Today we have a doctrinal and somewhat metaphysical article… I.e., something dense. Be warned :)

Within CNO (Computer Network Operations) we find three types of capabilities or actions: CND, CNA and CNE (Defense, Attack and Exploitation respectively).

While CND obviously deals with the defense of technological environments against attacks also technological —not against a missile that hits a Datacenter—, CNE operations and capabilities focus on the acquisition and exploitation of information through networks and computers: what we currently call cyberspying. For its part, CNA, Computer Network Attack, refers to what is often identified with purely destructive operations (the famous “4D”: disrupt, deny, degrade and destroy).

Any actor that executes CNO operations develops TTP (Tactics, Techniques and Procedures) to achieve its objectives; without going into the more formal definitions of the US military literature, tactics specify what an actor does, techniques specify how a tactic is implemented and procedures define a particular implementation —depending even on the person who applies them— of that tactic; this approach, from the higher level to a more operational level, models the behaviour of an actor, something similar to what is usually called its modus operandi.

[Read more…]

(Cyber) GRU (XIV): conclusions

10 de May de 2019 Por

In this work, we have analyzed mainly the structure, targets and TTP of the GRU in the cyber field, based on the information brought to light during 2018 and which allowed to obtain a detailed knowledge of the Service and its activities, not only to intelligence services, but also to poor analysts like us who do not have all the capabilities that a state can have. With what we know, even analyzing public sources, we have access to information that in some cases should be considered sensitive and that, without a doubt, is being -or has been- analyzed by services from all over the world, starting with Russia itself.

The fact that we know the GRU better than a year ago does not mean that now it is a worse service than before; it will remain part of the elite, fulfilling its missions and acting “in any part of the world where it is required“, said one of its former directors. The GRU, or APT28, or whatever you want to name it, will continue to be a very important player in the cyber field and, of course, in the non-cyber realm. We all make mistakes, and the GRU made them on that occasion – and they were published. However, it is more of a concern in certain circles that the GRU failed in its operations than to have leaked the identities or modus operandi of some of its members.

[Read more…]