2018 GLOBAL THREAT REPORT - BLURRING THE LINES BETWEEN STATECRAFT AND TRADECRAFT - CrowdStrike
←
→
Page content transcription
If your browser does not render page correctly, please read the page content below
2018
GLOBAL
THREAT
REPORT
BLURRING THE LINES
BETWEEN STATECRAFT
AND TRADECRAFT
INSIDE:
• TA R G E T E D I N T R U S I O N S
• CRIMINAL AND HACKTIVIST ACTIVITY
• 2018 PREDICTIONS2 3
FOREWORD
It's been another banner year for bad actors.
Not only did the volume and intensity of and money went into its development and,
cyberattacks hit new highs, the overall level regrettably, it was leaked.
of sophistication across the global threat
landscape experienced a meteoric rise. The The result of trickle-down in the field
theme of this year’s report, “Blurring the Lines
Between Statecraft and Tradecraft,” reflects
of cybersecurity has been a proliferation of
this disturbing trend. military-grade weaponry for cyberwarfare being
pushed down into the masses and commoditized.
There are several factors contributing to this
fundamental leveling of the playing field The consequences to legitimate organizations
between highly skilled — and typically well- has been alarmingly clear. What makes these
funded — nation-state adversaries and their attacks so effective is that they are essentially
less sophisticated criminal and hacktivist immune to the traditional endpoint defense
counterparts. One of the biggest contributors technologies that most organizations have
is the “trickle-down effect” present in the relied on for the past 20 or more years.
cyberthreat arena.
As this report points out with great clarity, it’s
The idea of trickle-down is not new. In fact, time for the good guys to step up. Defending
it’s precisely how state-sponsored research against “government-grade” attacks requires
and development programs are supposed enlisting a host of new security technologies
to work: Governments fund development and approaches that go beyond the simple
of sophisticated technologies, and those signature-based prevention of the past. Check
eventually get transferred out to the private the Recommendations section of this report
sector as products and services. Consider for actionable steps each of us can take to
GPS. It was originally designed for military combat the potentially disastrous effects of
applications, from missile targeting to tracking trickle-down cyberattacks.
objects and assets on the ground. Now
everyone has GPS in their pocket, and in their I sincerely hope that this document helps your
car. It’s so ingrained in our daily lives, it’s understanding of important shifts in the threat
hard to remember how we ever managed landscape, and provides the information you
without it. That’s a textbook example of how need to make your organization more resilient,
government-sponsored technology can more prepared and better protected, so that
successfully trickle down to the masses. together, we can stop breaches.
GeorgeKurtz
Unfortunately, there’s also a dark side to this
phenomenon. That was certainly the case with
WannaCry. This crippling malware epidemic
was based on military-grade espionage
techniques around a Windows vulnerability
known as EternalBlue, which ultimately fell into George Kurtz
the wrong hands. A great deal of effort, time CrowdStrike CEO and Co-Founder4 5
EXECUTIVE
SUMMARY
update packages was a rising TTP. This malware and 58 minutes. Breakout time indicates how
During the past year, stolen and vulnerable data proved to be valuable weapons
dissemination technique was notably used in long it takes for an intruder to jump off the initial
for adversaries of every stripe, spanning across all geographies, affiliations the NotPetya campaign in late June 2017, but it system (beachhead) they had compromised
and motivations. Data extortion, data ransom and outright theft have affected was observed throughout the year from eCrime and move laterally to other machines within the
and targeted intrusion adversaries. Underlying network. This statistic shows how much time
both large and small organizations throughout the world. Data even facilitated
all of these TTP trends is an overall effort to avoid on average defenders have to detect the initial
the most destructive attacks of the year when stolen cyber espionage tools, attribution, blend in with the crowd and otherwise intrusion, investigate it and eject the attacker
EternalBlue and DoublePulsar, were first leaked by the Shadow Brokers, and then challenge the computer network defender. from the network before they bury themselves
deeper and steal or destroy sensitive data, which
rapidly incorporated into targeted intrusion and criminal campaigns, including Score One For The Good Guys can make remediation much more complex.
WannaCry and NotPetya. The rapid adoption of these leaked state-sponsored The coordinated multi-agency takedowns
tactics, techniques and procedures (TTPs) is emblematic of one of the most
of major eCrime actors and networks during Get A Room
2017 helped balance the scales and disrupt While government, healthcare and financial
prominent and alarming trends observed in the gathering of this report: namely, operations of profit-driven cybercrime groups. organizations remained among the most
the intermingling and cross-pollination of TTPs across the spectrum from Given the tenacity and anonymity that surrounds preferred prey of eCrime and targeted intrusion
many cybercriminals, law enforcement actions actors, the hospitality sector emerged in the
sophisticated nation-state actors to the opportunistic criminal element.
such as takedowns, arrests, and the sentencing past year as a growing target for criminals and,
of individuals who are involved in cybercrime in a more unsettling turn, nation-state adversary
are major successes for law enforcement groups, as well. International hotel chains, in
agencies. These actions often temporarily particular, offer ripe picking for financial crimes,
Blurred Lines notable trend considering ransomware’s rapid splinter the criminal community, as actors from stealing identities to pilfering credit card
The blurring of lines referenced in the title of growth in 2016 and 2017, suggesting targeted examine their operational security and look for numbers via point-of-sale transactions. State-
this report has manifested in various ways in intrusion adversaries are taking note of what alternative methods for committing their crimes. affiliated adversaries have also developed a
the past year. In many cases, less technically is successful in the eCrime marketplace. deep interest in the lodging sector, whether
adept actors “upped their game” by employing Likewise, WannaCry and NotPetya appeared Undetected Malware for tracking persons of interest while they are
TTPs that would normally be above their to influence criminally motivated adversaries and Breakout Time traveling, or to enable access to these potential
pay grade. In other instances, state-affiliated when a rise in the use or development of Although an interesting trend observed during victims when they use electronic devices
actors known for their highly evolved targeted Server Message Block (SMB) spreading the past year was an increase in malware- outside the confines of protected networks.
intrusion TTPs took a page from lower- techniques appeared in eCrime operations in based over malware-free attacks, a more
echelon eCrime adversaries. For example, the the late summer of 2017. sobering finding was that 39 percent of all ––––––––––––––––––
WannaCry and NotPetya attacks heralded the incidents in 2017 were malicious software
rise of nation-state-sponsored ransomware, Expanding Exploits that went undetected by traditional antivirus, Numerous additional insights are contained
as CrowdStrike Falcon Intelligence and other Exploits continue to proliferate across the leaving organizations relying on these legacy in the pages that follow. These findings have
organizations linked the malware and TTPs threat landscape, as was observed in the rapid solutions openly vulnerable to these threats been organized into three dovetailed sections,
used in these operations to the Democratic spread of CVE-2017-0199, among others. Actor- and demonstrating a need for next-generation representing the research conducted in 2017
People’s Republic of Korea (DPRK) and Russia, agnostic TTP trending also showed a rise in endpoint protection. by CrowdStrike’s threat intelligence, managed
respectively. Although the repurposing of the use of commodity tools and penetration- hunting and Threat Graph data collection and
criminal malware is not a new phenomenon testing software (e.g., Cobalt Strike). Supply According to incidents CrowdStrike investigated, analysis units.
(particularly for Russian adversaries), this is a chain attacks incorporating poisoned software the average “breakout time” in 2017 was 1 hour6 7
METHODOLOGY NAMING
CONVENTIONS
The information in this report was compiled
using the following resources:
This report follows the naming conventions instituted by
CrowdStrike Falcon Intelligence, which categorizes adversaries
according to their nation-state affiliations or motivations
(e.g., eCrime or hacktivist). The following is a guide to these
adversary naming conventions.
Falcon Intelligence™ data collected from over 90 billion events a
The CrowdStrike Falcon Intelligence team day across 176 countries. The Threat Graph
provides in-depth and historical understanding architecture combines patented behavioral
of adversaries, their campaigns and their pattern matching techniques with machine
motivations. The global team of intelligence learning and artificial intelligence to track Adversary Category or Nation-State
professionals tracks 95 adversaries of all types, the behaviors of every executable across
including nation-state, eCrime and hacktivist CrowdStrike’s global customer community.
BEAR Russian Federation
actors. The team analyzes adversary tools, This combination of methodologies enables
tactics and procedures (TTPs) to deliver in- the identification and blocking of previously
depth, government-grade intelligence to undetectable attacks, whether or not they
enable effective countermeasures against use malware. CHOLLIMA Democratic People's Republic of Korea (North Korea)
emerging threats.
CrowdStrike Services
Falcon OverWatch™ This report references the CrowdStrike JACKAL Hacktivist
CrowdStrike Falcon OverWatch provides Services organization and its annual report,
proactive threat hunting conducted by a team the "CrowdStrike Cyber Intrusion Services
of experienced threat hunters providing 24/7 Casebook," which recounts real-life client
KITTEN Iran
coverage on behalf of CrowdStrike customers. incident response (IR) engagements handled
In 2017, OverWatch identified and helped stop by the services team. In addition to hands-on IR
more than 20,000 breach attempts, employing services conducted by its team of professional
expertise gained from daily “hand-to-hand investigators, CrowdStrike Services provides LEOPARD Pakistan
combat” with sophisticated adversaries. The proactive services such as cybersecurity
OverWatch team works to identify hidden threat maturity assessments, IR policy and playbook
activity in customers’ environments, triaging, development, tabletop exercises, red teaming
PANDA People’s Republic of China
investigating and remediating incidents in operations and compromise assessments.
real time. Response and remediation services are
conducted by highly experienced IR experts who
CrowdStrike Threat Graph™ investigate breaches to determine how attackers SPIDER eCrime
As the brains behind the CrowdStrike platform, accessed a client’s environment; mitigate
Threat Graph is a massively scalable, cloud- attacks and eject intruders; and analyze attacker
based graph database model custom built actions and provide clients with actionable TIGER India
by CrowdStrike. It processes, correlates and guidance to prevent future adversary access.
analyzes petabytes of real-time and historical8 9
TABLE 03
04
06
Foreward
Exec Summary
Methodology
OF CONTENTS
07 Naming conventions
10 FINDINGS PART 1: CROWDSTRIKE FALCON INTELLIGENCE
10 Introduction
11 Weaponization of Data
16 Middle Eastern Origins
17 The Takedown Effect
24 TARGETED INTRUSION
25 China
30 Russia
35 Iran
38 North Korea (DPRK)
40 Other Adversaries
42 ECRIME
45 Banking Trojans
48 Targeted eCrime
52 HACKTIVISM
53 2018 Outlook
56 CONCLUSION
58 FINDINGS PART 2: CROWDSTRIKE FALCON OVERWATCH
58 Introduction
59 Hospitality Sector Heavily Targeted throughout 2017
63 Intrusion Campaign Against Legal Sector Uses PowerShell-GitHub-Shell
64 Growing Tensions Between U.S. and DPRK Coincide with CHOLLIMA Activity
65 Suspected KITTEN Attacks Target Middle East
65 PANDA Actor Harvests Call Data from Telecommunications Provider
66 PANDAs Increase Their Targeting of Western Policy-Focused NGOs
70 FINDINGS PART 3: CROWDSTRIKE THREAT GRAPH
71 Background
73 Recent Attack Types and Their Targets Using Threat Graph Telemetry
73 Dwell Time and Lateral Movement Speed
73 Antivirus Effectiveness
75 Malware-Free Attacks by Industry
78 RECOMMENDATIONS10 11
Findings Part 1 Weaponization of Data Figure 1
Reported Data
On September 7, 2017, consumer credit reporting agency Compromises per Industry
CROWDSTRIKE
Equifax announced a cybersecurity incident potentially
impacting more than 143 million U.S. consumers, making this
incident one of the largest reported breaches of 2017. Although
such big events garner headlines, the scale of the problem
can be obscured by the sheer volume of data breaches
that occur on a daily and weekly basis. In many ways, the
unintended compromise of data can be “death by a thousand
FALCON
Government
cuts” for consumers who have offered their information up to
online forms servicing a plethora of organizations, from their
local school boards to their doctors’ offices.
In fact, the top two sectors in CrowdStrike data breach
reporting have been government and healthcare. At least half
of these reported incidents concerned smaller organizations Healthcare
— city-level entities in the case of the government, and
local hospitals and doctors’ offices in the case of healthcare.
The high percentage of occurrences in these sectors may
be due to penalties imposed on organizations for failure to
report a data exposure. Regardless, the evidence shows that
ransomware and extortion attacks are extremely common in Financial
INTELLIGENCE
both sectors.
Financially motivated adversaries targeted retail and
hospitality sectors with attacks focused on point-of-sale (PoS)
devices, an operational model that often results in the resale Media & Entertainment
of stolen credit cards in criminal marketplaces. Large-scale
criminal operations from adversaries such as CARBON SPIDER
and COBALT SPIDER can often fuel more sophisticated
Introduction PoS operations.
Technology
In addition to the disclosed Equifax breach, one-third of the
reported financial sector breaches affected cryptocurrency
CrowdStrike Falcon Intelligence introduced 16 new actor profiles companies with an array of threats, from attempts to steal
Hospitality
in 2017 - nine eCrime adversaries and seven targeted intrusion tokens to the compromise of systems via spear phishing.
adversaries - bringing the total of identified, named adversaries Although the rising value of cryptocurrencies may lead one to
believe these are eCrime threats, it is possible such operations Retail
to 95. In the following section, the Falcon Intelligence team
are undertaken by nation-states aiming to increase revenue
presents highlights from the most significant events in the (e.g., DPRK). Aviation
cyberthreat landscape. The analysis presented demonstrates how Military
threat intelligence can provide a deeper understanding of the Even the Equifax breach may have been the work of targeted
Transportation
motivations and objectives of these actors, and how to use that intrusion adversaries. While not attributed to a particular
Travel
actor, open-source reporting has indicated investigators
information to better defend your organization. Academia
are researching whether a state-sponsored adversary is
Computer Gaming
responsible. Previously, Chinese state-sponsored actors were Engineering
linked to large-scale data breaches at health insurers and the Energy
U.S. Office of Personnel Management (OPM) in 2015. As was Maritime
Professional Services
the case with these previous breaches, and those that fueled NGO
the Shadow Brokers and WikiLeaks releases this year (noted Sports Org
below), the effects of many of the reported breaches of 2017
may not be known for some time.12 13
Data from Previous Breaches of U.S. WikiLeaks claimed that the purpose of this often conducts aggressive dissemination efforts The actor has identified Bitcoin (BTC) as its
Intelligence Agencies Released series of leaks was “to initiate a public debate — naming the victim in social media, for example, preferred method of data ransom payment.
about the security, creation, use, proliferation and interacting with technology journalists.
The U.S. intelligence community was particularly and democratic control of cyber weapons.”
affected by data breaches. These include public The effect of Vault 7 was likely an international
disclosures of purported tools used by the awareness of the capabilities of the U.S.
Central Intelligence Agency (CIA) via WikiLeaks intelligence community. With the decision to
throughout 2017, and the Shadow Brokers’ include source code in the Vault 8 releases, 2018 Data Breaches & Exposure
leak of National Security Agency (NSA) tools the chances of malicious tools being Outlook A third of all CrowdStrike reporting on data breaches references
and exploits in April of that year. Although both repurposed increases significantly.
breaches likely occurred prior to 2017, serious inadvertent or accidental disclosure, but even these unintentional
effects of the leaks were more fully realized Self-Serving Extortion Actors
in 2017.
exposures can lead to malicious activity. Actors across the motivation
Although not all data exposures are the result spectrum have taken advantage of unsecured data.
Shadow Brokers of malicious actors, several significant breaches
On April 8 and April 14, 2017, the Shadow Brokers occurred in 2017, highlighting the need for
threat actor announced the public disclosure of tighter security over data and the popularity of
tools and exploits, which they claim were used data acquisition by a variety of actors intent on
by the targeted intrusion adversary publicly ransoming or otherwise monetizing it. State-Sponsored Ransomware where destructive malware was disguised
known as the Equation Group. The April 8 release as ransomware. What was once a criminally
purportedly included Unix tools and exploits. OurMine: Self-Proclaimed Gray Hat Group This year was punctuated by high-profile motivated operation model appears to have
The April 14 release included exploits and CrowdStrike Falcon Intelligence saw renewed campaigns linked to nation-states in which been adopted by nation-states that are seeking
tools designed to target several versions of the activity from the self-styled security group ransomware may have been used for alternative sources of income (e.g., DPRK) or a
Windows operating system and related OurMine. This adversary appears to be a financial or disruptive purposes, or instances means to disable opponents (e.g., Russia).
enterprise software. financially motivated gray-hat-like group that
compromises social media accounts and
Included in the leaked tools were the websites, stealing data in order to publicly Table 1
Ransomware
Malware Target Nation-State Linked Destructive Use of
Eternal family of exploits/vulnerabilities and shame companies, then urging them to buy
Campaigns EternalBlue
the backdoor DoublePulsar. These were their security services. Despite its claim to now
with Possible
incorporated by a large number of malicious represent a legitimate company, OurMine team or Confirmed VenusLocker
adversaries. The EternalBlue vulnerability in tactics can still be characterized as extortive. Links to Targeted South Korea Possibly DPRK N/A N/A
RoK cluster
particular fueled fast-propagating operations This group claimed to have compromised both Intrusion
such as WannaCry and NotPetya. Additional Home Box Office (HBO) and Sony PlayStation Adversaries
eCrime operations, which did not explicitly Network (PSN), which demonstrates a focus on
WannaCry Worldwide DPRK N/A ✅✔
include Eternal exploits, were nevertheless entertainment and technology sector victims.
inspired to experiment with SMB-spreading Falcon Intelligence assesses that OurMine
mechanisms. comprises multiple members, some of
whom reside in Saudi Arabia. XData Ukraine Russia Possible N/A
WikiLeaks Vault 7 and Vault 8
On March 7, 2017, WikiLeaks began publishing OVERLORD SPIDER: Aggressively Monetizing
documents under a program dubbed Vault 7. High-Profile Data Ukraine, but other
NotPetya Russia ✅ ✅✔ ✅ ✅✔
Subsequent releases occurred every one to This adversary targets entertainment and countries impacted
two weeks until September 2017. For the Vault 7 healthcare sector targets with undisguised data
releases, WikiLeaks disclosed the configuration, extortion attacks. OVERLORD SPIDER relies on Possible: May be geopolitically
installation and operation manuals for many the relatively poor security practices of small or IsraBye Israel ✅ ✅✔ N/A
motivated hacktivist activity
pieces of malware, but did not release specific less-sophisticated firms, and takes advantage of
exploit or malware code for any of these the potential legal, financial and public relations
products. This decision was amended for the liabilities resulting from the potential loss of BadRabbit Ukraine, Russia Russia N/A N/A
Vault 8 releases, which began on Nov. 9, 2017. customers’ data. Thus, the main extortive threat
The aim for Vault 8 appears to be to provide from this actor involves the release of personally
source code and analysis for CIA cyber tools, identifiable information (PII) belonging to high- Possible: Targeting suggests
Tyrant Iran N/A N/A
including those described in the previous Vault profile customers of the victim company. To raise nexus to Iranian government
7 series. awareness of the breach, OVERLORD SPIDER14 15
WANNACRY organizations that had not yet implemented the From NotPetya to BadRabbit In addition to the use of EternalBlue in the
associated updates to their systems. NotPetya campaign, these operations leveraged
Heralding the Rise A Series of Ransomware and Pseudo- multiple TTPs to infect devices and propagate
of Nation-State Linked Ransomware The demand for Bitcoin and indiscriminate Ransomware Campaigns Targeted Ukraine these ransomware variants. These TTPs
On May 12, 2017, a new ransomware family called targeting profile suggests that the adversary On June 27, 2017, another apparent ransomware included supply chain interdiction, strategic
WannaCry began making headlines as it rapidly behind this campaign was financially motivated, variant named NotPetya began to spread web compromises and credential harvesting to
infected the networks of organizations across the much like previously observed eCrime threats. globally using the EternalBlue vulnerability. facilitate propagation. In the case of NotPetya
globe. The scale of this attack, which expanded However, code overlaps with malware linked This activity initially elicited comparisons to specifically, file recovery was not possible,
rapidly over the course of a single day, was to DPRK adversaries implied this operation was the WannaCry campaign. However, technical indicating this was not a financially motivated
unique. The authors of this malware incorporated state-sponsored. Following months of reporting analysis revealed an extensive operation using operation, but rather a destructive attack
sophisticated propagation techniques, leveraging that intelligence agencies had attributed the several ransomware variants that appeared to disguised as ransomware. These TTPs, as well
the recently released EternalBlue vulnerability attack to DPRK state-sponsored actors, on Dec. specifically target Ukrainian users. as the choice of targets, suggest this operation
(CVE-2017-0144) and the DoublePulsar 18, 2017, the U.S. government directly credited is aligned with Russian state-sponsored hackers.
backdoor. The self-propagation aspect of this North Korea with creating and distributing the
malware ensured a high infection rate among malware.
Table 3
Ransomware DATE Malware CODE OVERLAP Infection Vector
Events
Table 2 Targeting
Hawup RAT TwoPence Code Overlaps Ukraine Criminal ransomware
Characteristic WannaCry LABYRINTH STARDUST Between May 18 XData M.E.Doc update
AES-NI
CHOLLIMA CHOLLIMA WannaCry
and DPRK
Adversary
Generation of fake TLS handshake ✔ ✔ ✔ Tools June 22 PSCrypt N/A Unsecured RDP ports
WannaCry in
Preference for Microsoft Visual Studio 6.0 ✅✔ ✔ ✅✔ June 26 FakeCry M.E.Doc update
appearance only
M.E.Doc update, SWC
Contains code based on minizip ✔ ✔ ✔ June 27 NotPetya Petya campaign, EternalBlue
propagation
Deployed through a dropper that extracts
payload from an embedded password- ✅ ✅✔ ✅ ✅✔ ✅ Oct. 24 BadRabbit NotPetya SWC
protected drive
Conversion routine for hand-coded
✔ ✅ ✔
cryptographic data
Initial infections of NotPetya appeared on
Technical analysis of
the toolset used by systems running a legitimate updater for the Many of these campaigns appeared to imitate
API functions resolved dynamically ✔ ✔ DPRK adversaries has document management software M.E.Doc. ransomware on the surface. However, the true
supported a code-
sharing hypothesis
Ukrainian companies and companies operating intent of these operations was not financial
in Ukraine rely on the M.E.Doc software to gain, as is typically the case with ransomware
maintain tax information and payroll accounting. — it was to destroy data on targeted networks.
Falcon Intelligence has previously assessed attempt by DPRK actors to use ransomware. Subsequently, CrowdStrike Falcon Intelligence The XData campaign, for example, did not
that North Korean adversaries use cyber Sensitive source reporting identified an was able to confirm through Falcon telemetry provide a payment amount or guidance on
operations to acquire funds and foreign earlier campaign, allegedly active between that M.E.Doc updates were an initial infection how file recovery could occur. The operators of
currency for the Kim regime. Throughout the December 2016 and March 2017, that leveraged vector for NotPetya. Additional reports indicate NotPetya initially offered an email to facilitate
latter half of 2017, LABYRINTH CHOLLIMA the commodity ransomware VenusLocker. that a separate malware family, XData, was also payment, but this address was suspended
appears to have increased the number of Samples from this cluster of VenusLocker pushed by these software update packages shortly after news of the malware broke. A
cryptocurrency-themed spear-phishing activity featured the ability to encrypt Hangul as early as May 2017. Falcon Intelligence truly financially motivated actor likely would
campaigns, suggesting a high level of interest Word Processor (HWP) and a Korean-language assesses it is highly likely that Russia-based not have implemented such a fragile payment
in Bitcoin and the acquisition of cryptocurrency. extortion message, suggesting South Korea adversaries had awareness of M.E.Doc, given mechanism, indicating the motivation for
was a specific target for this operation. the widespread integration of this software into the actor behind NotPetya was not financial
Furthermore, WannaCry was not the first business and government communications. gain, but rather data destruction. Moreover,16 17
the developers of NotPetya altered Petya whether the attacker would have responded and strict regulations. If the Tyrant operation government uses the cover of cybercrime
ransomware to erase the decryption key after with the required information. The lack of was motivated by domestic security interests, operations to disrupt or poison the uptake of
encrypting the master file table (MFT). This concern for file recovery strongly suggests the this case highlights the potential that the Iranian software such as Psiphon.
technique offers no method to recover the files, adversary is not financially motivated, but rather
making NotPetya a wiper, not ransomware. seeking to harass the victim organizations —
It should also be noted that the NotPetya and possibly to erode trust in the networks that
developers altered the Petya binary, suggesting support a variety of essential functions for the
the adversary did not have access to the source affected companies and government entities. 2018 Nation-State-Linked and Targeted Ransomware
code, and therefore, reverse-engineered the Outlook
malware. This also reaffirms the assessment Masking these attacks as eCrime is reminiscent High-profile attacks in 2017 have introduced the possibility that ransomware
that NotPetya and Petya were created by of a Russian military doctrine known as
separate developers. maskirovka, which features deception,
could be used for geopolitical, and even militaristic, purposes. It is possible this
concealment and disguise. The goal of trend of nation-state ransomware has plateaued, but it is even more likely that
The NotPetya successor BadRabbit adhered maskirovka is not only to deceive or confuse
more closely to the designation of ransomware, an adversary, but also to hide the true origin or other nations — perhaps smaller countries — or even hacktivist groups will
technically enabling data recovery, although
the process for acquiring a recovery key did not
intent of an operation. Although NotPetya was
eventually revealed to be a wiper, the veneer of
use ransomware and pseudo-ransomware wipers to disrupt victims, eroding
appear to be user-friendly and it is unknown ransomware delayed this initial assessment. trust between vital businesses and their customers or between governments
and their constituencies.
Middle East Origins In 2017, these attacks used TTPs that were novel and trending in 2017, including
the use of the EternalBlue vulnerability and the compromise of software update
IsraBye Tyrant and WannaSmile supply chains. Incidents described here can be characterized by the combination
Discovered in early August 2017, IsraBye is a Throughout the latter part of 2017, Falcon of eCrime ransomware operations and targeted intrusion techniques. Therefore,
wiper that displays a ransom message listing
fictitious conditions for file recovery. Technical
Intelligence observed an increase in
ransomware attacks targeting internet users in
in 2018 and beyond, new campaigns could incorporate the latest vulnerabilities
analysis indicated the developer likely intended locations where the Farsi language is spoken. or additional TTPs that have not been previously observed or associated with
that the files be destroyed permanently. Open-source reporting listed at least two
When executed, the malware displays anti- recent cases, in October and November 2017,
ransomware campaigns.
Israeli and pro-Palestinian imagery, rhetoric involving ransomware families called Tyrant
and audio content on victim machines while and WannaSmile. Although reports suggested
overwriting files and appending their names these cyber operations were criminal in nature,
The Takedown Effect
with the .israbye suffix. The displayed content Falcon Intelligence assesses that both the
contained references to the Al Aqsa Mosque Iranian government and state-sponsored actors
compound, reinforcing the intended timing of could have equal motivation for conducting
this operation, which coincided with clashes these attacks. Falcon Intelligence reported on several law law enforcement operation can create a ripple
surrounding controversial July 2017 security enforcement actions targeting cybercrime effect in the eCrime ecosystem.
measures put in place by Israeli security According to an Iranian government authority, (see Figure 2). Such efforts included arrests,
service at the Al Aqsa compound. The anti- the Psiphon virtual private network (VPN) botnet takedowns, shutting down forums An example of this ripple effect was observed
Israel content and the timing of this malware software was spoofed by the purported associated with criminal activity, and legal in July 2017, with the takedowns of the
operation indicate that it was almost certainly operators of the Tyrant campaign and used injunctions against infrastructure. In some darknet markets AlphaBay and Hansa, a
politically motivated. Multiple elements of the to distribute the ransomware. Psiphon is used cases, these operations require cooperation collaboration between multiple international
wiper are indicative of a hacktivist developer. to evade government censorship and filtering among multiple international law enforcement law enforcement agencies — notably, the Dutch
For instance, the background image used efforts, and thus, this software and its users are agencies with assistance from private and National Police and the U.S. Federal Bureau
for the wiper is identical to a defacement likely targets for the Iranian government. Iran non-profit cybersecurity elements. The ZOMBIE of Investigation (FBI). In combination with the
page used by the Palestinian hacktivist group has an extensive history of targeting popular SPIDER takedown, described below, is a collapse of TradeRoute, the operation against
Giant’s-ps. applications such as Psiphon with restrictions notable example of how broad support for a AlphaBay and Hansa has led to months of18 19
disarray for centralized darknet markets. both HOUND SPIDER and INDRIK SPIDER faced (developed by BAMBOO SPIDER), Gozi ISFB and network per day, but following the takedown
legal action. Although these arrests may not Nymain, as well as large-scale phishing and operation, it was discovered that the number
On a smaller scale, legal proceedings can be dismantle the larger criminal enterprise, they “pump-and-dump” stock campaigns. Prior to of machines was in fact approximately 70,000
an effective means to handle individual eCrime can prompt other actors to examine the risks the takedown operation, Kelihos was one of the per day. In its final weeks of operation, Kelihos
actors. In December 2017, individual affiliates of they are taking when engaging in cybercrime. largest spam botnets on the criminal market. predominantly supported campaigns for Shade
It was originally estimated that an average of ransomware, Cerber ransomware, bank phishing
40,000 machines were connecting to the P2P scams and money mule lures.
Figure 2
Timeline of
January 13 July 20 November 30
Notable Law
Enforcement Link
Creator of Limitless
Logger pleads guilty
Developer of Citadel
malware sentenced
Andromeda
takedown
Events in 2017 to Russian On Oct. 3, 2017, a Spanish court decided to extradite Levashov to the United States, an action
in U.S. courts to five years in prison
by U.S. courts Government that the Russian Federation attempted to block by filing a counter-extradition request on Sept.
22, 2017. Levashov’s defense claimed that he had "access to information constituting state
January 20 April 7 July 20 December 12 secrets through the university in St. Petersburg." Furthermore, during the court proceedings,
Russian operator ZOMBIE SPIDER DoJ announces UK-based supporter
of Neverquest takedown takedown of of INDRIK SPIDER Levashov claimed that he had worked for the United Russia Party for 10 years as an officer in
arrested in Spain darknet markets sentenced
AlphaBay & Hansa the Russian Army by “collecting various information on opposition parties.” According to
Incremental adjustments to spam botnet market
December 20 open-source reporting, United Russia has denied this claim.
HOUND SPIDER
Darknet markets remain in disarray
affiliates arrested
in Romania
CrowdStrike previously reported on Levashov’s potential affiliation with the Russian
JAN FEB MAR APR MAY JUN JUL AUG SEP OCT NOV DEC government. In a forum post from 2013, his Severa persona discussed an offer that he
2017 allegedly received from the FSB to lead a team in protecting Russia from electronic threats
and providing a reactive response, if required. If this forum post was indeed legitimate, it
provides a unique insight into the FSB’s recruitment campaigns and the suspected hiring
of criminal actors. It also hints that the Russian government will overlook criminal acts,
The Fall of ZOMBIE SPIDER process propagated a carefully crafted peer
list that prevented the threat actor (in this case
particularly operations that target Western nations, if they benefit the Russian state.
On April 7, 2017, Pytor Levashov — who ZOMBIE SPIDER) from communicating with This provides cybercriminals who operate out of Russia a safe haven, and potential job
predominantly used the alias Severa or Peter infected systems. As a result of the peer list
opportunities within the Russian government in addition to their criminal enterprises. This
Severa and whom Falcon Intelligence tracks poisoning, the P2P network was transformed
as ZOMBIE SPIDER — was arrested in an into a centralized network, with infected aligns with Russia’s previous warning to its citizens against traveling to countries that have
international law enforcement operation led hosts only being able to communicate with an extradition treaty with the United States, due to the possibility of arrest and prosecution.
by the FBI. ZOMBIE SPIDER’s specialty was the sinkhole operated by Falcon Intelligence.
large-scale spam distribution, a fundamental The IP address victim information collected
component of cybercrime operations. Levashov by the sinkhole was distributed by the non-
was the primary threat actor behind a botnet profit organization Shadowserver to global
known as Kelihos and its predecessors, Waledac internet service providers (ISPs) and computer
and Storm. In addition to Levashov’s arrest, there emergency response teams (CERTs) to assist Observed Changes
was a technical operation conducted by Falcon with remediation efforts. to eCrime Distribution MONTY SPIDER, operator of the CraP2P spam
Intelligence to seize control of the Kelihos botnet. botnet (aka Necurs spambot), appeared to be a
ZOMBIE SPIDER provided criminal services to With the Kelihos spam botnet no longer in clear beneficiary of the Kelihos takedown. CraP2P
The Kelihos botnet was a peer-to-peer (P2P) a large number of affiliates, with Kelihos spam operation and ZOMBIE SPIDER behind bars, has not only distributed the pump-and-dump
botnet that used infected systems as proxies campaigns varying greatly over the years. multiple criminal operators moved to different spam, but has also picked up WIZARD SPIDER
to relay information between each other and Although pharmaceutical spam was a threat distribution methods. For example, Falcon and INDRIK SPIDER as possible customers.
the Kelihos backend servers. In order to seize consistently supported throughout Kelihos’ Intelligence has observed the Cutwail spam botnet Operators of ransomware — particularly Jaff,
control of Kelihos, Falcon Intelligence leveraged lifespan, the botnet was also used to distribute distributing Gozi ISFB and the Magnitude exploit Locky, and Globe Imposter — made use of
a technique known as peer list poisoning. This major banking Trojans such as Panda Zeus kit distributing Cerber ransomware. CraP2P for distribution during Summer 2017.20 21
Spam Botnets and Law Enforcement 2018 Exploit Proliferation may have access to a centralized dissemination
Outlook channel for tools and exploits. It is also possible
Spam botnets such as Cutwail and CraP2P, which have sustained operations Although the rise of nation-state ransomware that China was already aware of some or all of
in the wake of the ZOMBIE SPIDER takedown, are likely to continue at was perhaps the most visible TTP trend of these vulnerabilities. Recent industry reporting has
2017, these attacks were enabled by several suggested that the Chinese National Vulnerability
their current pace. However, established and well-resourced operations other TTPs that appeared to be on the rise, Database (CNNVD) is a loose cover for the Ministry
may develop in-house solutions for distributing their malware, as was including the EternalBlue vulnerability and the
compromise of software update mechanisms.
of State Security (MSS) and provides early access
of vulnerabilities to China’s intelligence services
observed from several banking Trojan operators experimenting with various In addition to EternalBlue, Falcon Intelligence before publicly reporting them.
tracked the proliferation of several notable
propagation methods. vulnerabilities, including CVE-2017-0199 and Software Update
CVE-2017-8759, which demonstrated similar Supply Chain Attacks
trajectories.
Given the tenacity and anonymity that surrounds many cybercriminals, Software supply chain attacks have long
law enforcement actions such as takedowns, arrests and the sentencing The ability to incorporate newly publicized been associated with nation-state espionage
vulnerabilities is an indication of a fairly operations, but in 2017, this technique appeared
of individuals who are involved in cybercrime are major successes for law sophisticated adversary — one with to spread. The infection of software update
development resources sufficient to take processes was observed in criminally motivated
enforcement agencies. These actions often temporarily splinter the criminal advantage of the vulnerability before large and destructive campaigns, in addition to likely
community, as actors examine their operational security (OPSEC) postures organizations can apply available patches. state-sponsored activity. Figure 4 provides a
Figure 3 provides a timeline of how a few of the summary of some of the notable incidents in
and look for alternative methods for committing their crimes. notable exploits proliferated among several this TTP category.
adversaries, both criminally motivated groups
and state-sponsored actors. CrowdStrike also observed a variation of this
Despite the immediate results, disruptions can also create opportunities for tactic in which the attacker does not modify
As the exploit grows stale, it is often incorporated the code, but instead uses brand-spoofing
ambitious criminal operators or prompt adversaries to retool. Therefore, into Metasploit modules or other custom builders, to facilitate an attack. In such an operation, a
continued vigilance is needed to assess the long-term effects on the thus opening the door for other groups to adopt legitimate application is advertised as available
these TTPs. COBALT SPIDER is suspected of using for download; upon download, a user is
overall threat landscape. an exploit document builder. Such tools are for prompted to update the software via adversary-
sale on Russian underground marketplaces. This controlled infrastructure, thus providing an
adversary incorporated CVE-2017-0199, CVE- avenue for malicious execution. This type of
Finally, financially motivated eCrime adversaries are not the only actors 2017-8759 and CVE-2017-11882 into their spear- attack was used to distribute ProtonRAT in
subject to legal ramifications. As described in the China section below, phishing operations shortly after zero-day. November 2017. The operation involved the
registration of a domain, symantecblog[.]com,
the U.S. Department of Justice (DoJ) announced several indictments against Chinese adversaries also leveraged CVE-2017- which spoofs the blog for the information
0199, CVE-2017-8759 and CVE-2017-11882 security provider Symantec. The available
Chinese individuals linked to likely nation-state espionage operations. U.S. into several disparate campaigns, likely at the hyperlink for downloading an antivirus tool from
authorities may consider expanding this approach as a means to deter hands of multiple separate groups. The rapid that page consisted of a MacOS application
incorporation of all of these exploits into China- that delivers ProtonRAT.
individuals from assisting in targeted intrusion operations. based operations suggests these adversaries22 23
August 10 Figure 3 Figure 4
Criminally motivated Exploit Proliferation Notable Supply Possible Suspected Criminally
YES NO
spear phishing linked China? Nation State? Motivated
to COBALT SPIDER
in 2017 Chain Attacks in
April 19 2017
FANCY BEAR targets
November 14
Romanian Ministry
0-DAY
of Foreign Affairs NO NO
with DownRage
November 20
Exploit builder
CVE-2017-0262 made available
Possible Gray Hat
Late November PyPI Typosquatting
March 21 In use by several In September 2017, industry
CARBON SPIDER Chinese adversaries researchers discovered that malicious
uses with Ammyy Python packages residing in the
Admin Python Package Index (PyPI) were
November 27 M.E.Doc masquerading as popular packages.
Delivers LokiBot Initial infections of NotPetya The names of the malicious packages
info stealer appeared on systems running a approximated those of legitimate
April 10
legitimate updater for the packages and were delivered to users
Early use by
document management software who mistakenly typed the fake
INDRIK SPIDER June 20 January 1 M.E.Doc. Additional reports indicate package names. The only functional-
Spear-phishing Adopted by ity of the malicious packages was to
documents linked that a separate malware family,
QUILTED TIGER XData, was also pushed by these relay basic machine information back
to EXTREME JACKAL to a C2 server and did not allow for
April 11 software update packages as early
Patch released as May 2017. downloading of additional malware.
CVE-2017-11882
Summer
Incorporated into
Mid-Late April YES YES
YES
January COBALT SPIDER
Unidentified actor Adopted by spear -phishing
targets Ukraine several Chinese campaigns
with FinSpy adversaries
December
Criminally motivated
August 25 Formbook campaign
April 19 Used by
Adopted by NUMBERED PANDA
HELIX KITTEN as well as additional
suspected China-based
actors
CCleaner ProtonRAT
On September 18, 2017, reporting emerged In 2017, unidentified adversaries
CVE-2017-0199 detailing a widespread campaign using the attempted to disseminate the MacOS
adware-removal tool Ccleaner to distribute a malware called ProtonRAT by spreading
malicious downloader. The second-stage it through supply chain attacks on
March 14 payload was delivered to telecommunica- video-processing software, such as
September 12
Microsoft releases tions and internet services companies, Handbrake and Elmedia.
Zero-day
patch identified by a target list obtained from a C2
server. Early technical analysis indicated
September possible attribution to a Chinese adversary,
April 14 Adopted by COBALT SPIDER based on a unique implementation of the
Released by Base64 encoding algorithm shared with
Shadow Brokers variants of ZoxPNG, a tool attributed to
AURORA PANDA. Further analysis of the
Late September
first-stage C2 IP address demonstrated
Several incidents linked to
Late April June 27 additional links to past and current
Chinese adversary activity
Adylkuzz NotPetya China-based activity, including infrastructure
mineware campaign overlaps with malware families HTTPBrows-
incorporates er, Sykipot, and Scanbox. The use of these
October 3 tools has been associated with numerous
EternalBlue
Identified use by Chinese adversaries, including EMISSARY
July 27 NUMBERED PANDA PANDA and MAVERICK PANDA.
Sality botnet
May 12 begins to
WannaCry
NetSarang
spread using
On August 15, it was reported that a supply
ransomware EternalBlue
chain attack leveraged compromised
campaign
software packages from NetSarang, a
company specializing in connectivity
solutions for large corporate networks. A
ETERNALBLUE CVE-2017-8759 library included in several of the NetSarang
software packages was modified to contain
malicious shellcode that would enable the
adversary to activate an embedded
implant dubbed ShadowPad. Further
JAN FEB MAR APR MAY JUN JUL AUG SEP OCT NOV DEC analysis of C2 infrastructure related to this
incident revealed a connection to
2017 China-based targeted intrusion actors.24 25
Findings Part 1
TARGETED
INTRUSION
Introduction
China
Activity from China-based adversaries
targeted multiple separate countries and
Asian countries reflects not only China’s heavy
investment in large infrastructure projects
industry sectors in 2017. Although this within the region, but also ongoing territorial
In 2017, Falcon Intelligence identified targeted intrusion activity from across the globe.
broad range of interests appears disparate, disputes in the South China Sea (SCS). Similarly,
The following sections provide an overview of observed incidents attributed to adversaries information on many of the targeted in the latter half of the year, suspected Korean
in China, Russia, Iran, and North Korea. These campaigns are likely state-sponsored government entities likely supports intelligence Peninsula targeting was observed concurrent
operations supporting intelligence or military requirements. Additionally, Falcon requirements for military or diplomatic decision with a rise in North Korean and American
Intelligence continues to observe activity from the Indian subcontinent and named two making. Observed targeting of other sectors rhetoric regarding DPRK’s nuclear program.
— including technology, industry, aerospace, In some cases, adversaries appeared to shift
new adversaries to assist in tracking these incidents -- the Pakistan-based MYTHIC
telecommunications, and energy — likely targeting based on these high-profile
LEOPARD and India-based QUILTED TIGER, publicly known as Patchwork. These adversaries supports high-priority projects for the 13th current events.
and others are detailed in Table 9. Five Year Plan (FYP), such as the Belt Road
Initiative (BRI). Many Chinese adversaries demonstrated
the capacity to quickly incorporate new
The BRI represents China’s desire to expand vulnerabilities, specifically CVE-2017-0199
its influence internationally through support to and CVE-2017-8759. Additionally, adversaries
logistical supply routes and new infrastructure such as NUMBERED PANDA appear to have
projects. Because investments into these broadened their toolkits. Activity from this
projects span the globe, targeting has been adversary in July and October used the same
observed in widely diverse regions, such as infrastructure, but different malware families.
Belarus in Eastern Europe and Cambodia in Evidence from 2017 also suggests many China-
Southeast Asia. based actor groups have adopted commodity
or open-source tools such as Cobalt Strike.
Regional geopolitical concerns also appear These toolkit choices are likely driven by an
to drive a high percentage of Chinese targeted increased level of operational security and
intrusion activity. The targeting of Southeast a desire to complicate attribution.26 27
Figure 5
Table 4
A Summary Adversary Ops Tempo1 Description SUMMARY OF CHINESE
TARGETING IN 2017 BY REGION
of Observed
Chinese This adversary continued long-running
GOBLIN
Adversary High operations against the government of
PANDA
Activity in 2017 Vietnam.
The target scope for this adversary appears
U.K.
WICKED to be broad, suggesting they are contractors
High
PANDA who are supporting high-priority operations as
needed.
Activity against
HAMMER
Medium
The target scope for this adversary includes a think tank
PANDA Russia and India.
entity was
ongoing through
Japan
This adversary was linked to several incidents
the latter half
Vietnam
Several named adversaries,
DEEP
targeting the U.S. legal sector. Additional
activity from early in the year, which targeted of 2017. & Myanmar including NUMBERED PANDA,
Medium
PANDA China-based cross-border payment services,
STALKER PANDA, and WICKED
supports the conclusion that this group may For years, GOBLIN PANDA
support domestic investigations. PANDA, were linked to
has consistently targeted
the targeting of Japan.
Vietnam, and has possibly
This adversary appeared to shift focus over
the course of the year, with likely Taiwanese launched operations against
NUMBERED
PANDA
Medium targeting in early 2017, targeting of Japan
in mid-2017 and another shift to the Korean U.S. Myanmar as well.
Peninsula in October 2017.
Targeted sectors
In April 2017, public reporting on a campaign include think
dubbed “Cloud Hopper” described targeting
of Japanese organizations in multiple sectors.
tanks, legal
STONE
Medium There is some evidence that STONE PANDA services, and
PANDA
is behind the Cloud Hopper operation, medical research.
and malware identified in December 2017
1
Operations tempo is
suggests this adversary is still active.
based on observed
activity and available
reporting. Low STALKER This adversary is linked to BlogSpotRAT activity
Medium/Low
tempo may indicate PANDA targeting Japan in June 2017.
gaps in this visibility.
Germany
A suspected
In addition to the adversary activities listed here, Falcon Intelligence Chinese actor used
identified numerous incidents that also are suspected to be linked to China. CVE-2017-0199
and Cobalt Strike
against a German
India & Russia Taiwan
conglomerate. HAMMER PANDA targeted
Australia In January 2017, new
Russia’s government, Ixeshe samples were
In September 2017, a decoy
aerospace, and energy observed, similar
copied from an Australian
sectors, as well as an to 2016 NUMBERED
website was used in an incident
engineering and defense PANDA activity.
leveraging CVE-2017-8759 and
firm in India. MoonWind malware.28 29
China, individuals with connections to the old
Contract for Espionage adversary groups in the form of Sakula, Hkdoor, hacking groups are likely training second and
and Adjesus malware variants. The description of third generations of technically savvy operators,
Given the reorganization of China’s People's the malicious activity detailed in the indictment who can incorporate lessons learned by their
Liberation Army (PLA) and a noted shift in activity strongly corresponds to existing CrowdStrike predecessors over the last decade.
from WICKED PANDA (formerly associated with reporting, published in February 2014, describing
financially motivated attacks), Falcon Intelligence intrusion operations targeting several aerospace
predicted a rise in China-based targeted organizations in 2012 and 2014. Additional
intrusion activity undertaken by contractors in analysis of the infrastructure associated with the
2017. Contract companies — founded by leaders
in computer science and maintaining a wide
2011-2014 activity and listed in the indictment
shows overlaps with TURBINE PANDA and
2018
Outlook
China
social network based on connections made SAMURAI PANDA, adversaries that have also Falcon Intelligence expects that 2018 will be another transitional year for
via old hacking forums — may be uninhibited targeted elements of the aerospace industry.
by bureaucracy that affects the PLA or large
Chinese targeted intrusion activity. Groups associated with the PLA and
Chinese intelligence organizations. If true, these Following the GoldSun indictment, on November Technical Reconnaissance Bureaus (TRBs) may follow the lead of contract
adversaries can likely execute operations and 27, 2017, the U.S. District Court of Western
incorporate tools more rapidly. Pennsylvania unsealed an indictment against groups, incorporating commodity tools and better OPSEC techniques
Throughout 2017, WICKED PANDA embodied
three employees of Chinese cybersecurity
company, Guangzhou Bo Yu Information
into their TTPs. Additional attempts to reorganize the overall intelligence
what Falcon Intelligence would expect from Technology Company Ltd. (Boyusec), charging community in China may result in a centralized body that can provide better
a contract entity. This adversary improved them with cyber-enabled theft of intellectual
operational security and anti-analysis TTPs, property from three separate U.S. companies. synthesis for cyber operations. Groups tied to well-resourced intelligence
evidenced by the use of machine-specific
decryption keys. The use of dead-drop
Boyusec was previously outed in public
reporting in November 2016 for its connections
agencies will almost certainly have access to the results of additional
resolver (DDR) command and control (C2), to the Chinese Ministry of State Security (MSS) upstream, supply chain compromises, a notable trend in 2017 that will likely
obfuscation techniques, and encrypted payloads
demonstrates a higher sophistication than
and Chinese telecom giant Huawei. The three
individuals named in the indictment — Wu
continue.
what was previously observed from Chinese Yingzhuo, Dong Hao, and Xia Lei — were all
adversaries associated with the PLA. WICKED employees of Boyusec, with Wu and Dong
PANDA continued to target a diverse set of being founding members and executives of the After the 2015 cyber agreement between the U.S. and China, there was
sectors and regions, possible evidence that
official tasking is provided for specific operations
company.
a shift to acquiring intellectual property through the buy-out of foreign
that require these advanced techniques. Though the indictment lays out charges for companies. Because of the large outflow of cash from China, this method
intrusion activity conducted against U.S.
Contract entities may also be able to cast a companies in the manufacturing, financial, and
may be discouraged in the near term; therefore, cyber operations to acquire
wide net for victims, sitting on the compromise aerospace sectors from 2011 through 2017, the intellectual property may rise again, affecting countries in Europe, Japan, the
until they can effectively use the access. TTPs activities of Wu in particular can be traced back
for acquiring large numbers of potential victims to at least 2005, and they have been previously United States, and possibly Russia.
include strategic web compromises, supply identified by Falcon Intelligence as GOTHIC
chain compromises and mass spear phishing. PANDA. This adversary has historically used a
distinct implant known as Pirpi (aka UPS, as listed There is some evidence that there has been a rise in U.S. targeting. The
Chinese Nationals with Links to Cyber in the indictment), and is known for a methodical,
Espionage Named in DoJ Indictments persistent intrusion methodology with a high Trump administration has at times released strong rhetoric on China-U.S.
Dismantling social relationships between degree of sophistication and OPSEC. Numerous relations, although in the latter half of 2017 this language shifted to one
contractors and government officials will likely CrowdStrike reports have described GOTHIC
prove to be difficult, but as part of this process, PANDA as a likely contractor for the MSS, based of cooperation in dealing with the potential nuclear threat of North Korea.
the U.S. DoJ announced several indictments
aimed at Chinese nationals suspected of
on both its TTPs and operations that occurred
outside normal Beijing working hours.
In 2018, Falcon Intelligence assesses U.S. targeting will likely fall under
contributing to nation-state espionage three categories — pure espionage, opportunistic compromises of soft
operations. In late August, Yu Pingan (aka The effect of these indictments may drive all
GoldSun) was indicted in connection with a China-based activity to adopt better OPSEC targets such as non-governmental organizations (NGOs) and think tanks, and
series of high-profile attacks targeting western
aerospace and technology firms. Yu was accused
techniques, a process that has already been
observed with the use of commodity tooling
operations that are such a high-priority, it is worth the risk of violating the
of providing material support to China-based in a possible effort to hinder attribution. Within 2015 agreement with the previous administration.You can also read
