Once a Target, Always a Target

Flaws in the Cyberattack Assembly Line

Blake Darché | Area 1 Security | Area 1 Security

It’s tempting to think cyberattacks are sophisticated, but from a technical perspective, they are mostly routine. Cyber actors must rely on operational efficiency, reusable modular toolkits, and infrastructure stability to attack a large number of targets successfully. These assembly lines run counter to the view that cyber attacks are “sophisticated snowflakes” and provide opportunities to preempt attacks at a point in time when it is possible to change outcomes.

Area 1 Security learned several small patterns during a phishing campaign launched November 9, 2016, via its ActiveSensor network. This campaign, which began the day after the U.S. presidential election, revealed insights into the assembly line of the actor, a partial database of targets, and methods to preempt future attacks.

The campaign we observed is attributed to a Russian espionage group we call RUS2 (also known as the Dukes, APT-29, or Cozy Bear). RUS2 is solely focused on targeting political organizations. They are known to have hacked the DNC in 2015 and breached the State Department in the same year. To achieve their goals, they simultaneously pursue current and former officials, as well as associates working in private industry.

The phishing emails in this campaign had several shared characteristics:

Subjects: “just FYI”, “RFI”, “eFax”, or “Elections”

Attachments: ZIP file attachment or Microsoft document containing a malicious macro

Command and Control: known C2 operated by RUS2

During the reconnaissance phase (Kill Chain — 1) of a cyber campaign, actors compile lists of targets and their email addresses, primarily through open source data-gathering, web scraping, social network analysis and other national technical means. Once targets are identified and their targeting information compiled, they will typically be loaded into a targeting database in an automated system to execute the delivery phase (Kill Chain — 3).

The targeting database that Area 1 Security was able to reconstruct reveals three specific insights into the assembly line of operations which can be used to preempt future campaigns:

1. The database contains a mixture of personal and corporate email addresses. Targets include current and former officials of the U.S. government or associates in the political process. This shows RUS2 is looking for the weak link in the chain and will pursue direct and indirect targets to achieve their campaign’s goals.
2. Analysis of bounced emails included in the campaign shows that the actor doesn’t consider cleaning or updating their database of targets. Targets continue to receive phishing attacks, whether or not they are in the same position as they were when initially targeted.
3. Temporal reconstruction of the bounced emails, targets, and their positions of interest reveals targeting going back ten years to 2007.

RUS2 believes they avoid detection by changing some aspects of the infrastructure they utilize. This is a countermeasure to traditional security approaches which focus on blocking IPs, domains, and URLs. Our use of attacker behavior analytics, however, and their consistent redelivery of phishing campaigns to targets no longer associated with identified email addresses, allows us to reconstruct both the timeline and development of their campaigns, as well as new infrastructure and payloads being delivered.

It’s easy to imagine RUS2 operating a giant spreadsheet where new targets are added, but never leave. RUS2 probably moves quickly, compromising a server or service to send out phishing emails from it, and then leaves, never returning to check for bounced email messages to cull from its list.

Targets who change their positions and the organizations they work for after becoming a target of RUS2 unintentionally move into the crosshairs of future campaigns. Thus targets carry the blemish of being a Russian target into their new workplace. These people unintentionally give RUS2 beachheads in companies and organizations they never even planned on or imagined hacking. As an example, several targets of the November 9, 2016, campaign who had worked in the prior administration and now work in the financial, pharmaceutical, and defense industries continue to be targeted, and those organizations are attacked as a result of the association.

Russia is notoriously persistent in pursuing targets and our report is a lesson on why every organization needs great security.

Our analysis of the last ten years of RUS2 targeting, compiled by reverse engineering their database, reveals previously undisclosed information about the involvement of Russian actors in prior U.S. elections. It has been widely reported that both presidential candidates in the 2008 election were targeted and exploited by actors associated with the Chinese government. Area 1 Security was able to identify targets within the November 9, 2016 campaign whose association with the 2008 campaign indicate RUS2 was actively targeting them during the same period. The list also includes several officials involved in Russian policy, including a U.S. ambassador to Russia.

Tactics, Techniques, and Procedures (TTPs)

Interactions with Targets and Victims

RUS2 will engage and exchange information interactively with targets to bolster credibility and advance their campaigns.

Exfiltration

RUS2 is known to quickly exfiltrate the entire contents of email accounts. They perform these operations with native email clients, as well as with web emails such as Gmail, Office 365, and Outlook Web Access.

Lateral Movement Operations

RUS2 begin lateral movement operations across an Active Directory Domain, typically employing Microsoft PowerShell and Python scripts compiled into binary executable files. They quickly harvest password dumps from Domain Controllers, and seek password file vaults stored on local disks and remote file servers. If they lose access to a target, they leverage previously exfiltrated usernames and passwords in order to regain access through the target’s external services.

Indicators of Compromise

The following IOCs were observed by Area 1 Security during the campaigns described herein:

Payload 1:

Link: hxxp://efax[.]pfdregistry[.]net/eFax/37486[.]ZIP

MD5: f79caf27a99c091e6c1775b306993341

SHA1: a76c02c067eae26d78f4b494274dfa6aedc6fa7a

SHA2: f37da55a4329df13b1283cbfd237ae832cebb4b9c4ed16e5a1e0b98d9b7fdf25

Filename: 37486-the-shocking-truth-about-election-rigging-in-america[.]rtf[.]lnk

MD5: f713d5df826c6051e65f995e57d6817d

SHA1: 68ce4c0324f03976247ff48803a7d988f9f9f43f

SHA2: 2d2fa32f928f8abf31b9e79153422d65fe72cd5ad0d1f815a9d2ffa42fc8d224

Payload 2:

Link: hxxp://efax[.]pfdresearch[.]org/eFax/RWP_16–038–5FNorris[.]ZIP

MD5: 8b3050a95e3ce00424b85f6e9cc3ccec

SHA1: d5dcf445830c54af145c0dfeaebf28f8ec780eb5

SHA2: 6412ea144bb0b8f7d32becda26cd1549825fd7b282f1f96319e5f4000e3d4618

Filename: RWP16–038_Norris[.]exe

MD5: 3335f0461e5472803f4b19b706eaf4b5

SHA1: 5cc807f80f14bc4a1d6036865e50d576200dfd2e

SHA2: 4538af0a76fecc6e45e6d45c22618c52ba89bf596a0b68dd2d4d2358fb5c86ef

Payload 3:

Link: hxxp://efax[.]pfdweek[.]com/eFax/message0236[.]ZIP

37486-the-shocking-truth-about-election-rigging-in-america[.]rtf[.]lnk

MD5: bea0a6f069bd547db685698bc9f9d25a

A partial summary of the targets RUS2 focused on during its November 9, 2016, campaign is provided below:

Financial Services

Vice Chairman Investment Banking

General Counsel

Director Federal Government Relations

Government Relations Intern

Defense Industries

Vice President Congressional Relations

Executive Office Administrator

Vice President Intelligence

Vice President External Relations

Obama for America

Deputy Campaign Manager

Deputy Media Director

Assistant to the Campaign Manager

Deputy Field Director

HR Regional Manager

Battleground State Director

The White House, 2008–2016

Deputy Counsel for the President

Deputy Assistant Secretary of Defense for Russia/Ukraine/Eurasia

Assistant to the Political Director

Advance Associate for the First Lady

Advance Associate for the President

Presidential Personnel Office

Department of State, 2008–2016

United States Ambassador to Russia

Deputy Assistant Secretary for Bureau of European and Eurasian Affairs

Assistant Secretary of State for European and Eurasian Affairs

Foreign Affairs Officer for Office of Weapons Of Mass Destruction Terrorism

Department of Energy, 2008–2016

Assistant Secretary for the Office of International Affairs

Deputy Assistant Secretary for Asia and the Americas

Director for Office of Nuclear Threat Science