OCR of the Document

View the Document >>

[Name Redacted], NTOC, National Security Agency, BYZANTINE HADES: An Evolution of Collection, June 2010, Top Secret//Comint//Rel to USA, Aus, Can, GBR, NZL.

TOP SECRET COMINT REL TO USA AUS CAN GBR NZL S REL BYZANTINE HADES An Evolution of Collection V225 SIGINT Development Conference June 2010 TOP SECRET COMINT REL TO USA AUS CAN GBR NZL 1 TOP SECRET COMINT REL TO USA AUS CAN GBR NZL I S What is BYZANTINE HADES S BYZANTINE HADES Chinese CNE S My Focus Byzantine Candor TOP SECRET COMINT REL TO USA AUS CAN GBR NZL 2 TOP SECRET COMINT REL TO USA AUS CAN GBR NZL S BYZANTINE HADES Sets • S BYZANTINE CANDOR • 80% of targeting against - DoD - Economic I Commodities Oil Deals - Current geopolitical I economic events S BYZANTINE RAPTOR • Resurfaced Summer '08 • 90% of activity targets DoD • Has targeted Congress S BYZANTINE ANCHOR • Fairly universal targeting but have observed - Weapon systems information systems NASA S BISHOP KNIGHT • Recent U S activity against about 80% - NASA DoE DoD Defense Contractors S BYZANTINE VIKING • PLAN TRB S MAVERICK CHURCH • Formerly BISHOP TOPS S BYZANTINE TRACE • 9 5 % of a c t i v i t y t a r g e t s Ministry of Affairs Defense • Has t a r g e t e d DoD but not recently S DIESEL RATTLE • W i t h i n US ISP's defense c o n t r a c t o r s government • Japan S BYZANTINE FOOTHOLD • 5 0 % of a c t i v i t y t a r g e t s TRANSCOM • 4 0 % t a r g e t s PACOM U S Gov defense contractors S BYZANTINE PRAIRIE • Inactive since March 2 0 0 8 S POP ROCKS • 2 0 0 9 Navy Router Incident • Video Conference Providers »CARBON PEPTIDE TOP SECRET COMINT REL TO USA AUS CAN GBR NZL S BYZANTINE CANDOR S Formerly Titari Rain III S Targeted E-mail Spearphishing tied to malware S Uses Dynamic DNS for mid-point C2 Infrastructure steganography to facilitate C2 StegC2 TOP SECRET COMINT REL TO USA AUS CAN GBR NZL 4 TOP SECRET COMINT REL TO U lnitial Searches • U Reports • U Task terms into SIGINT • Pinwale • X Key Sco re • U Link to other activity TOP SECRET COMINT REL TO USA AUS CAN GBR NZL 5 TOP SECRET COMINT REL TO USA AUS CAN GBR NZL U Analysis Tools U Crossbones U Domain and IP resolution U Google U TuningFork U Reports TOP SECRET COMINT REL TO USA AUS CAN GBR NZL 6 TOP SECRET COMINT REL TO S SI Enabling Active Collection • S SI Pass IP to TAO • S SI Determine if host is vulnerable • S SI TAO Collection • S SI Review Collection TOP SECRET COMINT REL TO USA AUS CAN GBR NZL 7 TOP SECRET COMINT REL TO USA AUS CAN GBR NZL U And Analysis Reveals • S Hacker techniques - Not Sneaky • S Attribution - Operate different from TAO • S Exfiltration • S Indications of future targets TOP SECRET COMINT REL TO USA AUS CAN GBR NZL 8 TOP SECRET COMINT REL TO USA AUS CAN GBR NZL S REL BYZANTINE CANDOR Infrastructure Classification Legend A TOP SECRET COMINT REL TO USA FVEY BYZANTINE CANDOR C2 Hop Points BH CANDOR Continents Classification TOP SECRET COMINT REL TO USA FVEY As of 12 Aug 09 8 weeks -350 observed TOP SECRET COMINT REL TO USA AUS CAN GBR NZL 9 sss © TOP SECRET COMINT REL TO S Command and Control over FaceBook Fâcetiook I File Edit •na - Mozilla Firefox View History Bookmarks LBJ lost Visited _ Customise L i n £ ótìte 1 Heip http www facebook com proFile php id Frae'Hotmail Windows Media Û- ref proFile Windows Do you want FireFox to remember this password Remember X T h i s is y u u r P u b l i s h e r Use it to post content like photos £r l i n j i - t o o u r wail • a Picture Attach Take a Picture Q 0 s £D Edit My Profile Remove Not Now Q Create an Ad Filipino ka ba Sali na ' ¡ j Become a Fan Video Write something about yourself Never for This Site Victim malware posts to FaceBook page What's on ycur mind T P j jGoogle 029228Jo Craw No soarmanlFace Meet5 615 C 555C56race MeetS 069815 5 9 jj Information 4 hours -ago Comnneni Like ihare 3 0 % tiff Electronics Birthday TVqQAAMAAAAEAAAA 8AALgAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAA4AAAAA4fug AtAnNIbgiJiMQhVGhpcyBwcm9ncmFt jNhbm5vdCEiiZ5EiydVi 4gaW4gRE9TIGh ZGUuDQOK lAAAAAAAAAEIJvs5DDd-gEA3FoBA 36AQdsOsEA2foBGOw64QDhi'„ »¡ends r C j - 1 v f n k rt —-jti rt r Your Profile Wall i c n it- Di TinrwirK D n f o u r W a l l d i s p l a y s i i p u r p - s a s well 'as p o s t s - p l a t y o u r Helps share directly w i t h you A By default ypur Wail is visi-1 to anyone who visits your profile Done Stari » FacebDFirefo« Gh rtrir i •• friends r y'irn-i €1 A l i b a b a BYZANTINE responds with implant commands fl J J 1 TOP SECRET COMINT REL TO USA AUS CAN GBR N2L 10 TOP SECRETHCOMINTHREL TO USA AUS CAN GBR NZL TS Sigh TOP SECRETIICOMINTHREL T0 USA AUS CAN GBR NZL ll TOP SECRET COMINT REL TO USA AUS CAN GBR NZL U Success Stories - Ours and Theirs Jii • S TRANSCOM compromise by BC -Targeted two CDC's involved in development - Over 2500 files exfiltrated • Contractor's certificates • System-specific code • Program related documents • Admin passwords to GDSS Low-to-High guards • GDSS Message formatting TOP SECRET COMINT REL TO USA AUS CAN GBR NZL 12 TOP SECRET COMINT REL TO USA AUS CAN GBR NZL U Success Stories • S gov networks • S Significant World Events Targeting - Headlines - Shanghai World Expo - Any news that's fit to print • S Future Victims - Spear Phishing - Web C2 - Victim research TOP SECRET COMINT REL TO USA AUS CAN GBR NZL 13 TOP SECRET COMINT REL TO USA AUS CAN GBR NZL U Knowledge Gaps • S Additional hacker attribution - ArrowEclipse • S How exfiltration is planned • S Who is requesting the information • U Overall picture TOP SECRET COMINT REL TO USA AUS CAN GBR NZL 14 TOP SECRET COMINT REL TO U Part TAO TOP SECRET COMINT REL TO USA AUS CAN GBR NZL T O P S E C R E T C O M I N T R E L TO U FOUO Byzantine Candor A TAO Success Story Computer Science Development Program Intern TAO Requirements and Targeting Cyber Counter-intelligence SIGINT Development Conference June 2010 TOP SECRET COMINT REL TO USA AUS CAN GBR NZL Derived From NSA CSSM 1-52 Dated 200701Q£ Declassify On 203502 L WijP 7 TOP SECRET COMINT REL TO USA AUS CAN GBR NZL • TS lntrusion activity detected on DOD networks • TS NTOC requested TAO assistance in targeting foreign hosts involved in order to provide actionable intelligence to the CND community TOP SECRET COMINT REL TO USA AUS CAN GBR NZL 17 TOP SECRET COMINT REL TO USA AUS CAN GBR NZL S What is a hop-point Actor • S Hop-Point • Computer exploited by an actor • Generally of little Intelligence value Ç Internet j Hop Point • Used to connect to victims and conduct operations » TS Majority of BC hop-points are US based » TS There are a number of foreign hop-points as well • CCNE targets foreign hop-points Victim TOP SECRET COMINT REL TO USA AUS CAN GBR NZL 18 TOP SECRET COMINT REL TO USA AUS CAN GBR NZL M _ S E m a i l Masquerades Actor m TS ldentification of hop points • Victim Callbacks • Other hop-points TS Types of Operations Activities witnessed • Vulnerability Port Scans • Remote Desktop Masquerades Email Masquerades • Spearphising • Remote Access tools Victims • Altering callback domains • Personal web surfing Checking e-mail stock portfolio surfing not safe for work material etc A TOP SECRET COMINT REL TO USA AUS CAN GBR NZL U lt continues • TS We began conducting numerous operations on hop-points • Exploiting new hosts • Collecting from existing hosts • TS Started to put some pieces together and found the IP ranges the actors were coming from • Unfortunately for us the range is dynamic • Difficult to track • Difficult to target TOP SECRET COMINT REL TO USA AUS CAN GBR NZL 20 TOP SECRET COMINT REL TO USA AUS CAN GBR NZL U ARROWECLIPSE to the rescu • TS ARROWECLIPSE • Targeting the infrastructure of BC • Exploited key routers in the ISP • Gained access to billing and customer records • Attribute user accounts to IP addresses on a given date time • Ability to attribute a CNE event to a user account • Attribute user account names to billing addresses • Billing address is 3PLA TOP SECRET COMINT REL TO USA AUS CAN GBR NZL 21 TOP SECRET COMINT REL TO U U What else can we do • TS So we can attribute CNE events to user accounts What else can we do • Using router accesses we can survey and capture remote desktop traffic exiting the source range • New hop points • Exploit the source network • Man-in-the-Middle operation • We sit in the middle of the traffic we can observe it and modify it • Let's add something extra to the traffic 22 TOP SECRETHCOMINTIIREL TO TOP SECRET COMINT REL TO USA AUS CAN GBR NZL U Results • TS Exploited 5 computers tied to known BC accounts • Computers - 3 Virtual Machines 2 Physical Machines • Exploited additional boxes not tied to known accounts • TS Exploiting the boxes was the easy part Accessing the machines is a different story • Lots of waiting • Lots of luck • Wading through uninteresting data •Pictures of family pets old family photos • Wading through interesting but unrelated data •Pictures of PLA in uniform TOP SECRET COMINT REL TO USA AUS CAN GBR NZL 24 TOP SECRET COMINT REL TO USA AUS CAN GBR NZL U Accessing the machines • TS Late October 2009 • Finally interactively access an exploited virtual machine • with • 3PLA • Probable CNE operations team lead • TS Since then we have conducted numerous operations against the 5 source network machines • TS Accessed a probable home personal use box tied to • Used work ISP credential for personal box TOP SECRET COMINT REL TO USA AUS CAN GBR NZL 25 TOP SECRET COMINT REL TO USA AUS CAN GBR NZL U Results • TS Excellent sources of data • Used in interactive operations • CDCs USG Entities Foreign Governments etc • Future target research • Bio's on senior White House officials CDC employees USG employees etc • Victim data • Source code and New tools • USB tools exploits remote access tools etc • Actor information • Email Addresses Screen names Pictures etc TOP SECRET COMINT REL TO USA AUS CAN GBR NZL 26 TOP SECRET COMINT REL TO USA AUS CAN GBR NZL TS Cuteboy • TS • TS CNE Actor • TS Probable team lead • TS Poor op-sec • TS lmplanted a VM associated with ISP account • TS Bonus Implanted a physical box associated with ISP account less frequently seen 27