Cyber espionage: Was it possible to stop Russian and Korean hackers (using UBA)?
Previously, in order for non-virtual thieves to get into the National Committee of the Democratic Party, it was necessary to crack the real door locks and “dig” in the card files. The theft of secrets of the production of a jet fighter, for example, involves illegal entry into the premises in the absence of the owner and requires the realization of some talent of the thief, as well as the activation of certain knowledge relating to, say, features of the work of tiny spy cameras. Then, this spy could pass the micro-film to the courier, exchanging the same envelopes.
Times have changed.
')
Over the past few days, two stories have provided us with ample evidence of how strongly modern espionage is intertwined with hacker hacks. Cyber-spies can conduct first-class intelligence operations without leaving their workplace in the IT departments of security forces.
"Spies like us"
Yesterday, The Washington Post announced that Russian government hackers had infiltrated the DNC computer network.
According to security experts who were involved in the hacking of the DNC network, cyber-spies carefully compromised the DNC computers and were able to read all the emails and chat messages.
Unfortunately, this news is hardly a surprise. In fact, it was predicted that this would happen.
It is believed that two independent and possibly competing Russian hacker groups participated in this, one of which was already introduced into the DNC network last summer. No information about the sponsors was received. Hackers were engaged in espionage, gaining access to information about Donold Trump's opposition, hosted on the DNC network.
Later on the Korean Peninsula, officials from South Korea unveiled 40,000 documents related to the design of the wing of the American F-15 fighter, which were happily accepted for use by northern neighbors.
Sneak attacks
First, let's consider the incident with the Russian hackers.
One of the Russian cyber groups involved in hacking into the DNC network is called Cozy Bear. This is the same group that claimed responsibility for the White House cyber attack. The second group is called Fancy Bear, and they were known for using zero-day attacks.
Security experts say both groups have also used phishing attacks before. It is believed that Cozy Bear and Fancy Bear are associated with the Russian special services.
At the moment, however, it is not known exactly how hackers infiltrated the DNC network.
However, it is known that by gaining access to the network, they inject remote trojans (RATs) and bookmarks that allow them to remotely enter when they press certain keys, execute commands, and also transfer files. Russian cyber criminals also use command and control (C2) commands that help control RATs in the HTTP stream.
And while IT administrators were concerned, some users of the DNC network used one or more websites, although in fact these C2 websites were introduced by cyber-criminals and were used to launch an attack.
Russian cyber-spies disguised their actions with the help of PowerShell commands (malware-less hacking). And they also stole credentials from Mimikatz, which was launched as a hidden PowerShell script, in Pass-The-Hash / Pass-The-Ticket attacks.
Taking off his hat in front of our special forces, it is safe to say that the North Koreans used similar methods. Phishing mail, for example, involving fake Apple IDs, was used for Sony's initial entry into Pyongyang’s massive doxing company.
The current attack, which was launched against Korean Air Lines, began in 2014. Probably, North Korean cyber-spies used the aforementioned stealth-methods to keep their implants and exfiltrating the document beyond the ability to track them.
Spy Lessons
If you look at all of the above, none of this - unfortunately - will not seem new or unusual to you. In fact, for those who have been tracking such incidents in the past few years, it’s obvious that different methods and tools are just pieces of the same puzzle.
For a very long time, smart hackers bypassed the perimeters of protection using phishing, SQL-injection, or zero-day attacks. And as soon as they got inside, they had many ways to remain inconspicuous and avoid triggering virus scanners.
Instead of trying to build a “high wall”, it would be more practical to protect against hackers when they are inside, it would be to prevent their access to data and the leakage of confidential data.
In both cases — with DNC and Korean Air Lines — the IT teams eventually noticed some anomalies. However, at this point, it is already too late to improve the supervision of the circulation of internal emails and the deletion of data.
A much better solution would be to automate the detection of such anomalies, so that if a user opens access to files at an unusual time or a user who almost doesn’t run or never executes executable files, PowerShell does so, the signal will be heard anxiety
In this case, we are talking about User Behavior Analytics (UBA). These cases teach us that the protection of confidential data is too important to be based on guessing or blind luck of an IT specialist in a control check.
Instead, predicted UBA algorithms can compare current access models against historical ones in order to spot hackers in real time.
Imagine that UBA can help your IT structure spy on hackers and cyber spies. It is much more efficient and cheaper than training and equipping an agent. Almost 007!
Want to get a UBA? Learn more about how VARONIS can protect your data!
Times have changed.
')
Over the past few days, two stories have provided us with ample evidence of how strongly modern espionage is intertwined with hacker hacks. Cyber-spies can conduct first-class intelligence operations without leaving their workplace in the IT departments of security forces.
"Spies like us"
Yesterday, The Washington Post announced that Russian government hackers had infiltrated the DNC computer network.
According to security experts who were involved in the hacking of the DNC network, cyber-spies carefully compromised the DNC computers and were able to read all the emails and chat messages.
Unfortunately, this news is hardly a surprise. In fact, it was predicted that this would happen.
It is believed that two independent and possibly competing Russian hacker groups participated in this, one of which was already introduced into the DNC network last summer. No information about the sponsors was received. Hackers were engaged in espionage, gaining access to information about Donold Trump's opposition, hosted on the DNC network.
Later on the Korean Peninsula, officials from South Korea unveiled 40,000 documents related to the design of the wing of the American F-15 fighter, which were happily accepted for use by northern neighbors.
Sneak attacks
First, let's consider the incident with the Russian hackers.
One of the Russian cyber groups involved in hacking into the DNC network is called Cozy Bear. This is the same group that claimed responsibility for the White House cyber attack. The second group is called Fancy Bear, and they were known for using zero-day attacks.
Security experts say both groups have also used phishing attacks before. It is believed that Cozy Bear and Fancy Bear are associated with the Russian special services.
At the moment, however, it is not known exactly how hackers infiltrated the DNC network.
However, it is known that by gaining access to the network, they inject remote trojans (RATs) and bookmarks that allow them to remotely enter when they press certain keys, execute commands, and also transfer files. Russian cyber criminals also use command and control (C2) commands that help control RATs in the HTTP stream.
And while IT administrators were concerned, some users of the DNC network used one or more websites, although in fact these C2 websites were introduced by cyber-criminals and were used to launch an attack.
Russian cyber-spies disguised their actions with the help of PowerShell commands (malware-less hacking). And they also stole credentials from Mimikatz, which was launched as a hidden PowerShell script, in Pass-The-Hash / Pass-The-Ticket attacks.
Taking off his hat in front of our special forces, it is safe to say that the North Koreans used similar methods. Phishing mail, for example, involving fake Apple IDs, was used for Sony's initial entry into Pyongyang’s massive doxing company.
The current attack, which was launched against Korean Air Lines, began in 2014. Probably, North Korean cyber-spies used the aforementioned stealth-methods to keep their implants and exfiltrating the document beyond the ability to track them.
Spy Lessons
If you look at all of the above, none of this - unfortunately - will not seem new or unusual to you. In fact, for those who have been tracking such incidents in the past few years, it’s obvious that different methods and tools are just pieces of the same puzzle.
For a very long time, smart hackers bypassed the perimeters of protection using phishing, SQL-injection, or zero-day attacks. And as soon as they got inside, they had many ways to remain inconspicuous and avoid triggering virus scanners.
Instead of trying to build a “high wall”, it would be more practical to protect against hackers when they are inside, it would be to prevent their access to data and the leakage of confidential data.
In both cases — with DNC and Korean Air Lines — the IT teams eventually noticed some anomalies. However, at this point, it is already too late to improve the supervision of the circulation of internal emails and the deletion of data.
A much better solution would be to automate the detection of such anomalies, so that if a user opens access to files at an unusual time or a user who almost doesn’t run or never executes executable files, PowerShell does so, the signal will be heard anxiety
In this case, we are talking about User Behavior Analytics (UBA). These cases teach us that the protection of confidential data is too important to be based on guessing or blind luck of an IT specialist in a control check.
Instead, predicted UBA algorithms can compare current access models against historical ones in order to spot hackers in real time.
Imagine that UBA can help your IT structure spy on hackers and cyber spies. It is much more efficient and cheaper than training and equipping an agent. Almost 007!
Want to get a UBA? Learn more about how VARONIS can protect your data!
Source: https://habr.com/ru/post/305622/
All Articles