Upload
isightpartners
View
278
Download
3
Tags:
Embed Size (px)
DESCRIPTION
Details on a 3+ year cyber espionage campaign tied to Iran using LinkedIn, Facebook, Twitter to target high ranking officials in the US, UK, Israel and other nations. More than 2,000 targets across government, defense contracting firms, lobbying groups, etc.
Citation preview
NEWSCASTER – Iranian Cyber Espionage using Facebook, LinkedIn, Twitter…
An iSIGHT Partners Overview
Proprietary and Confidential Information. © Copyright 2014, iSIGHT Partners, Inc. All Rights Reserved www.isightpartners.com
2
iSIGHT Partners200+ experts, 16 Countries, 24 Languages, 1 Mission
Proprietary and Confidential Information. © Copyright 2014, iSIGHT Partners, Inc. All Rights Reserved www.isightpartners.com
Mission Global Reach
Be the world’s leading global cyber threat intelligence provider, connecting security technology and operations to the business.
3
NEWSCASTER
Cyber-espionage campaign Links to Iran Targeting high and low ranking personnel in multiple countries – US, UK, Israel, Saudi Arabia, Iraq
– U.S. military – Congressional personnel – Washington D.C. area journalists – Diplomatic corps – U.S. Defense contractors– Israeli Defense contractors – Members of the U.S./Israeli lobby
Utilizing social media platforms as targeting platform – Facebook – LinkedIn – YouTube – Twitter
Proprietary and Confidential Information. © Copyright 2014, iSIGHT Partners, Inc. All Rights Reserved www.isightpartners.com
4
NEWSCASTER
Active since at least 2011
More than a dozen elaborate principal personas; many supported by the fictitious news organization NewsOnAir.org
– Included at least two legitimate identities (falsified) from leading news organizations
Thomson Reuters Fox News
More than 2,000 targets and legitimate individuals
connected to the network – High probability of a vastly wider reach
Brash and complex, reliance on social engineering and spear-phishing for credential harvesting, use of malware with data exfiltration capabilities
Proprietary and Confidential Information. © Copyright 2014, iSIGHT Partners, Inc. All Rights Reserved www.isightpartners.com
5
NEWSCASTER PersonasPersona Purported Profession Known Platforms Known
ConnectionsSandra Maler Reporter, NewsOnAir LinkedIn, Facebook, Twitter,
Google226
Adia Mitchell Reporter, NewsOnAir LinkedIn, Facebook, Twitter, Wordpress
281
Amanda Teyson Reporter, NewsOnAir LinkedIn, Facebook, Twitter, Google
310
Sara McKibben Reporter, NewsOnAir LinkedIn, Facebook UnknownJoseph Nilsson Founder, NewsOnAir LinkedIn, Facebook 231Jane Baker (Ava T. Foster) Reporter, NewsOnAir LinkedIn 30Mary Cole Recruiter for Defense
Contractor LinkedIn, Facebook, Google 500+
Berna Achando Web Designer for Defense Contractor
LinkedIn, Facebook 151
Jeann Maclkin Systems Administrator for US Navy
LinkedIn, Facebook, Blogger, YouTube
500+
Alfred Nilsson Talent Acquisition for Defense Contractor
LinkedIn, Facebook Unknown
Josh Nilsson (Josh Furie) IT Manager for Defense Contractor
LinkedIn, Facebook 130
Dorotha Baasch IT Analyst for Defense Contractor
LinkedIn, Facebook Unknown
Kenneth Babcock CPA and Tax Advisor for Payment Processor
LinkedIn, Facebook, Google Unknown
Donnie Eadense Information Systems Manager for Defense Contractor
LinkedIn 118
Proprietary and Confidential Information. © Copyright 2014, iSIGHT Partners, Inc. All Rights Reserved www.isightpartners.com
Interconnected Multi-platform Pictures taken from bystanders
and the moderately famous Young, pretty women used
Secondary personas legitimize principals
NewsOnAir.org created to legitimize multiple personas
6
Elaborate Support for Personas
Proprietary and Confidential Information. © Copyright 2014, iSIGHT Partners, Inc. All Rights Reserved www.isightpartners.com
7
NewsOnAir.org
Proprietary and Confidential Information. © Copyright 2014, iSIGHT Partners, Inc. All Rights Reserved www.isightpartners.com
Kimberly Gulifoyle
8
NewsOnAir.Org: A Front News Agency
Proprietary and Confidential Information. © Copyright 2014, iSIGHT Partners, Inc. All Rights Reserved www.isightpartners.com
Fake journalists share NewsOnAir.orglinks on social media networks.
5
Article reposted to NewsOnAir.org with original authorship removed
2Real News articles from Reuters, AP, BBC, other resources.
1 Links tweeted from @NewsOnAir24
ArticleNews
By Amanda Teyson
Amanda Teyson Persona
Persona’s name attached in byline3 By Amanda
Teyson
9
Malicious Activity
Social networking as reconnaissance tool and propagation method
Credential collection capability
Low-sophistication malware– IRC malware
Other capabilities anticipated
Proprietary and Confidential Information. © Copyright 2014, iSIGHT Partners, Inc. All Rights Reserved www.isightpartners.com
10
Malicious Activity
Proprietary and Confidential Information. © Copyright 2014, iSIGHT Partners, Inc. All Rights Reserved www.isightpartners.com
Link leads to fake login portal.
4 Unsuspecting target directed to content.6
User credentials captured, stolen.5
NEWSCASTER Network (Multiple Fake Personas)
Targeted HVT approached with connection request.2
Malicious link sent to target3
High Value TargetFriends of HVT approached first with request.
1
11
Iranian Ties
Proprietary and Confidential Information. © Copyright 2014, iSIGHT Partners, Inc. All Rights Reserved www.isightpartners.com
Infrastructure Tehran registration “Parastoo”
Iranian content Targeting Tehran working hours and
days
12
Implications
Method is not novel
What this group lacks in technical sophistication they make up for in brashness, creativity, and patience
We infer from the length of this operation is indicative of at least marginal success
Defense requires a human touch
Proprietary and Confidential Information. © Copyright 2014, iSIGHT Partners, Inc. All Rights Reserved www.isightpartners.com
Cyber Espionage
13
NEWSCASTER SUMMARY 3+ year Cyber-espionage campaign with links to Iran
Targeting high and low ranking personnel in multiple
countries – US, UK, Israel, Saudi Arabia, Iraq – U.S. military – Congressional personnel – Washington D.C. area journalists – Diplomatic corps – U.S. Defense contractors– Israeli Defense contractors – Members of the U.S./Israeli lobby
Utilizing social media platforms as targeting platform – Facebook – LinkedIn – YouTube – Etc.
More than 2,000 targets and legitimate individuals caught in the net
– Credential harvesting – Access to corporate and personal emails – Malware with data exfiltration capabilities
Proprietary and Confidential Information. © Copyright 2014, iSIGHT Partners, Inc. All Rights Reserved www.isightpartners.com
Today’s Cyber Security Challenges
CISOs finding it difficult to define security ROI to executivesShort shelf life for CISOs
Vastly expanding attack surface areaMobile, cloud, virtualization, global business operations
Large protection investments and no good prioritization filterWho, why, when, how
Operational chaosToo many alarms, not enough people, poor prioritization
“Brain dead” security tools that rely on past events/signaturesVerses extremely agile adversaries
Severe breaches continue…
Proprietary and Confidential Information. © Copyright 2014, iSIGHT Partners, Inc. All Rights Reserved www.isightpartners.com 14
15
How Can Cyber Threat Intelligence Help?
1. Be Proactive
2. Shrink the Problem
3. Improve Prioritization
4. Enhance Executive Communications
5. Connect Security With Business
Proprietary and Confidential Information. © Copyright 2014, iSIGHT Partners, Inc. All Rights Reserved www.isightpartners.com
CISO Recommendation:“Use a commercial threat intelligence service to develop informed tactics for current threats, and plan for threats that
may exist in the midterm future.”
Rob McMillan & Kelly KavanaghTechnology Overview for Security Threat Intelligence
Service ProvidersPublished: 16 October 2013
iSIGHT Partners – What We Do
Cyber Crime
Cyber Espionage
Distributed Denial-of-Service
Enterprise
Hacktivism Mobile Vulnerability and Exploitation
Analyst Access Global Response
ThreatScape® Subscriptions
!
ThreatScape Technologies
ThreatScape API
ThreatService™
Engagements
Bundled Analyst Research
!Partner Integrations
Threat DiagnosticsIntelligence Integration
Breach Diagnostics
Proprietary and Confidential Information. © Copyright 2014, iSIGHT Partners, Inc. All Rights Reserved www.isightpartners.com 16
Formal Research ProcessYields Rich, Contextual Threat Intelligence
Intelligence Requirements Created Based on Clients, Sectors and Adversaries
RequirementsPrioritized by Analysts,Matched toCurrent Holdings then Passed to Research Teams
Collection Planning and Tasking ofGlobal Teams
Requirements Collected by Unique Global Teams and returned toFusion Center
Processing and ExploitationTo StandardizeMultiple Information Sources Ready for Analysis
Analysis ofInformation and Production of Reporting for Clients
Fully fused,Corroborated,Cross-referencedand EditedMulti-sourceIntelligence ReportingDisseminated toClients
Client Feedback,Refinement of IntelligenceProduct
IntelligenceRequirementsRequested From Client
? iFeedback &Clarification
Analysis DisseminationCollection
Proprietary and Confidential Information. © Copyright 2014, iSIGHT Partners, Inc. All Rights Reserved 17
How We Deliver:Fully Integrated Dissemination Model
Proprietary and Confidential Information. © Copyright 2014, iSIGHT Partners, Inc. All Rights Reserved www.isightpartners.com 18
Executive SummaryStandards
Context…The campaign is related to other Gameover Zeus
analyses as it uses a similar attack infrastructure and campaign identifiers.
Malicious hyperlinks within the message point to pages hosted on compromised websites that contain no visible
content, but do load one JavaScript file:hxxp://crazytraintour.com.ar/jie3Qd6E/js.js
Executives
Risk, Intel, Fraud
SOC
Incident Response
Tech Security Controls
Standard Formats
Consumers
Technology Partners
ThreatScape® API
MySIGHT Portal
TechnologiesThreatScape
PGPHTML
TXT
XML
JSON
STIX
CSV
Data
On April 10, 2012, iSIGHT Partners observed a mass
mailing targeting chief financial officers (CFOs) with a fraudulent e-mail titled, "CFO
Bulletin Update.”
Size: 305704 bytesMD5: 5bda9aea96360d9260d7cf38b416af8cDigital Signature: This file is digitally signed by 'nYZbvA3YL8XjBMx’Certificate Validity: 04/10/2012 to 01/01/2040Timestamp: 2010:11:01 22:56:53+01:00Company Name: Microsoft CorporationFile Description: Windows Disk Diagnostic User ResolverFile Version: 6.1.7600.16385 (win7_rtm.090713-1255)Internal Name: DFDWiz.exe...
19
At the Ready to Help
Stephen Ward: [email protected]
www.isightpartners.com
Request more information: [email protected]
Proprietary and Confidential Information. © Copyright 2014, iSIGHT Partners, Inc. All Rights Reserved www.isightpartners.com
iSIGHT Partners
200+ experts, 16 Countries, 24 Languages, 1 Mission