Russian Information Warfare ABOUT ME EVOLUTION of CYBER WARFARE Cuban Missile Crisis

Russian Information Warfare ABOUT ME EVOLUTION OF CYBER WARFARE Cuban Missile Crisis

● Essence of the Decision ○ Rational Actor Model ○ Organizational Process Model ○ Governmental Process Model

● Why did the Soviet Union decide to place offensive missiles in Cuba? ● Why did the United States respond to the missile deployment with a blockade? ● Why did the Soviet Union withdraw the missiles? THINK LIKE A RUSSIAN INFORMATION WARFARE

● Depending on the target of action, information warfare consists of two types: ○ Information-psychological warfare to affect the personnel of the armed forces and the population, which is conducted under conditions of natural competition ○ Information-technology warfare (to affect technical systems which receive, collect, process and transmit information), which is conducted during wars and armed conflicts ● Corrupt image vs Disinformation Political Economic International IW

Seeks to assert itself as the Communism Natural Resources - largest Technical workforce foreign power reserves and largest exporter Cheap State Owned Media natural gas Two party system prior to their demise Can accomplish IPE They have “elections” 16% of GDP, 52% of federal -Geopolitical Goals (Three presidents since budget revenues and over 70% -DNC Ukraine/Crimea/Syria/Georgia 1991) of total exports -WADA -Foreign Intelligence US Election Dissidents arrested Technical workforce with no -Disinformation jobs

Average Salary: $565/month

Credit Rating: BB+ (Domestic), BBB- (Foreign) EVOLUTION OF INFORMATION WARFARE 2016 US ELECTION TIMELINE OF EVENTS

● April 2016 - FBI Contacts DNC ● June 15th - Guccifer 2.0 takes credit for the DNC Hack ● July 5th - Director Comey Hillary Clinton announcement ● July 22nd - Wikileaks published 20k hacked DNC emails ○ Debbie Wasserman Schultz retires ● September 15th - Guccifer 2.0 posts Democratic party documents ● September - At G-20 Summit Obama tells Putin to “cut it out” ● October 7th - US intelligence agencies announce they are confident the ● Russian government aimed to interfere in the election ● December 5th - White House says Vladimir Putin had direct role in hacking US election ● September 25th - Washington Post article documenting Russia FB ad campaign CAMBRIDGE ANALYTICA CAMBRIDGE ANALYTICA

● This Is Your Digital Life ● For Academic Use ● Collected survey takers and friends within their social network ● 50 million Facebook users ● 2015 and 2016 campaigns of United States politicians Donald Trump and Ted Cruz ● 2016 Brexit vote ● 2018 Mexican general election, 2018 for Institutional Revolutionary Party Odd Timing?

Migayas Shrinksy - Russian Ambassador to Sudan Oleg Erovinkin - Former intelligence officer found dead in his car Denis Voronenkov - Fled to Ukraine shot dead Andrey Karlov - Diplomat to Turkey shot Vitaly Churkin - Russian Ambassador to UN, suddenly dies Petr Polshikov - Russian Diplomat Shot in Moscow Alexander Kadakin - Russian ambassador dies after illness Sergei Krivov - Died on the morning of US election Andrey Malanin - Russian diplomat found dead in Athens Nikolav Gorokhov - Nearly died after falling from fourth floor of his Moscow apartment EvolutionSNAKE OVER of Turla THE YEARS Targeting/Infection Vector

● Spearphishing ● Watering holes ● 3rd party suppliers ● Webshell INITIAL COMPROMISE ● Initial backdoor dropped ○ Wipbot ■ CVE-2013-5065 – Privilege escalation vulnerability ■ CVE-2013-3346 – Arbitrary code-execution vulnerability in Adobe Reader ○ Sets ThreadHideFromDebugger – breaks debugging ■ Classic Injection ● Call write process memory and call create remote thread ■ Creates a new process in suspended mode and maps the same section of memory twice, in two different processes ○ SetWindowsLong API call to start a thread in the newly created process – breaks most malware sandboxes ■ Jumps several times from one process to another ■ Wipes out the PE section so that it is harder to rebuild the unpacked executable ● No code in common with Turla except ModuleStart and ModuleStop UPDATING the C & C ATTRIBUTION

● Unicode 1251 ● Bad English ○ Password it´s wrong! ○ Count successful more MAX ○ File is not exists ○ File is exists for edit ● Time/Working Hours ● “Zagruzchik” “boot loader” in Russian ● KopiLuwak/JS ● HTML5 Encoding 0.3.7 ○ The extension will look at each photo’s comment and will compute a custom hash value ● Wipbot ● Virtualbox WHO ARE THE TARGETS

● Government ● Ministry of interior ● Ministry of trade and commerce ● Ministry of foreign/external affairs ● Intelligence ● Embassies ● Military ● Education ● Research ● Pharmaceutical companies OSINT QUESTIONS? Stages

Stage 0: Targeting/Infection Vector

Stage 1: Initial Compromise

Stage 2: Lateral Movements

Stage 3: Turla Deployed (Fully Compromised) LATERAL MOVEMENTS

● Get Domain credentials ● Further compromise the victim ● Develop understanding of network for customized malware deployment TURLA 64 Bit

● Virtualbox Vulnerability ○ The vulnerable version of the driver allows to load arbitrary data (including any shellcode) into the kernel, and then specify a function to be executed for IOCTL handling. ○ Allows the malware to disable driver code-signature verification by overwriting the kernel variable g_CiEnabled with a value of 0, and, in turn, enabling the loading of unsigned and malicious code into the kernel ● Encrypted VFS ○ Implemented in pfinet and Snake ○ CAST 128 encryption used ○ Decryption/encryption implemented on low level by hooking sector processing mechanisms ○ Two volumes: On disk and volatile storage ● HTML5 Encoding 0.3.7 ○ The extension will look at each photo’s comment and will compute a custom hash value

Source: Turla: APT Group Gives Their Kernel Exploit a Makeover (Last Line) MODULAR COVERT CHANNELS

● Only in Snake ● Customizable - Encryption, Fragmentation, Reliability, etc ● Named Pipes - Link between Pfinet and Snake