A lot of what we do is centered around exploiting 'exotic' targets that you don't normally see during the course of an average operation. Red Star OS 3 (RSOS3) is one such intriguing target that presented itself in the digital field, so we decided to recreate our assessment in our lab and post some of our findings.Read More
You can't go far without reading a new article or hearing a story about how Russia has compromised the democracy machine of the United States; however, the news articles are only getting a fraction of the real story.
What Russia is waging against the United States is not just a cyber warfare campaign, but all out Information Operations that comprises components of cyber warfare, misinformation campaigns, and psychological operations (PSYOPS/PSYWAR). To 'simply' couch this as 'cyberwarfare' is doing a disservice to understanding the true threat we face as a nation. Unfortunately, the media hasn't really stopped to take a step back and really decompose the situation, but instead are too busy chasing the Trump/Russia story to really think about it. These types of activities are not new and have been happening by all major players throughout the world for some time.
Examples of digitally-enabled misinformation campaigns:
- Promoting fake news across the Internet
- Paying for sponsor-paid content to be listed on the front pages of sites like CNN (they have ads as well as 'Sponsored Content' made to look like real news stories).
- Continuous social media positing/comments and sharing of the fake news stories above.
- State-sponsored hacking and leaking of information
- this encompasses leaking DNC/RNC emails/campaign information, leaking of US capabilities (i.e. shadowbroker leaks, et cetera)
- Using shell companies to pay 'industry experts' for 'white-papers', speeches and appearances that are politically motivated and releasing 'PR' on legitimate sites.
A few of Russia's most active groups in the past have been labeled as APT28 and APT29 (or Fancy Bear and Cozy Bear respectively) have been involved in cyberwarfare activities against the United States, resulting in sanctions against GRU and the FSB in December 2016. It should be noted that these groups have not just been actively targeting the United States but also the Norwegian government and Dutch ministries, and most recently the French democratic elections.
While cyberwarfare is conducted for a multitude of reasons (espionage, denial/destruction of capabilities, information collection, etc), in this case a nation state engaging in cyberwarfare is just an enabler to affecting change amongst the population to achieve its' end goal, which is to sway public opinion and influence policy to the detriment of their adversary and for their benefit.
Watching the timeline of known politically motivated campaigns is an extremely interesting and continuously unfolding puzzle that takes a lot of dedicated time and analysis to identify and attribute back to nation state actors. Look for something like this in the future as things get more and more interesting in this world.
A few appropos quotes:
“The supreme art of war is to subdue the enemy without fighting." --Sun Tzu
"There are but two powers in the world, the sword and the mind. In the long run the sword is always beaten by the mind." -- Napoleon Bonaparte
"We were as hypnotized by the enemy's propaganda as a rabbit is by a snake." -- General Eric Von Ludendorf
and lastly one of my favorites...
"Public sentiment is everything. With public sentiment nothing can fail. Without it nothing can succeed. He who molds opinion is greater than he who enacts laws." -- President Abraham Lincoln
Below you'll find a very basic framework to use to build upon for your own operations. There are many, many ways to perform digital intelligence gathering, and the how isn't in scope of this post, but rather the methodologies and reasons why. It's more important to understand why you're doing it and having a framework than the operational side of it; knowing the former will ensure the latter is successful.
Why is this important?
Just like you never drop into an LZ without extensive surveillance, measurement of opfor presence, conducting topography, weather and signals analysis; you should never run an op against an organization without doing the same from a digital perspective.
A highly recommended read, is Joint Publication 3-02.1, Joint Tactics, Techniques, and Procedures for Landing Force Operations.
There's strong correlation and applicability to other disciplines such as Asymmetric and Unconventional Warfare (UW), HUMINT, PSYOPS, and corporate espionage. To sum it up, to be successful on the battlefield (digital or kinetic), you must embrace the full spectrum of operations.
We've broken out the key areas to focus on when conducting digital operations, however, it should not be considered exhaustive by any means. It is up to you to take what we've given you and expand and adapt if for your own purposes.
Performing discovery on who is employed is extremely important in understanding the human landscape and its exploitability. By identifying the HPTs and HVTs (key players), their job functions, connections within the immediate organization, or outside organizations; it's possible to 'connect the dots' of not just internal reporting structures, but social circles.
With this information, you can focus on specific targeted OSINT and SOCMINT/SMI gathering techniques to learn more about these individuals - being able to stroll into a key players favorite coffee shop and strike up a conversation with them around their interests is extremely powerful. We've been on operations where we've actively participated in activity groups with some of our targets just to befriend them and learn more about their work through casual conversation. Powerful, indeed.
Performing researching via OSINT and SOCMINT/SMI is extremely important if your goal is to gain a level down on the individuals employed by the organization as mentioned earlier. Once you have a list of soft targets, it's time to do some collection to determine which of your HPTs and HVTs would necssitate action.
Social Networking Profiles
Understanding the persona of the individuals being targeted is your first step. Active intelligence gathering is not covered here, however, once you understand your targets, you'll be able to shape your HUMINT operations and create your strategy around PSYOPS, building rapport, and otherwise gaining a foothold with your target. Afterall, people are the weakest link.
The usual suspects: LinkedIn, Facebook, VK, Twitter, Instagram, Tumblr and don't forget online dating sites such as Match.com, OkCupid, Tindr/Grindr (these are geolocation based and can be an amazing resource for gathering data and engaging targets around the target profile area).
Identifying the communication strategy of your target is imperative in determining how much information they are willing to part with voluntarily and the trust they put in their agents. By identifying these partners, you may be able discover weaknesses that can be exploited through indirect means. Questions to ask yourself... * How does your subject communicate with the outside world? * Do they use third-party mailer services (i.e. MailChimp)? * Do they utilize a dedicated PR agent to publish company news on their behalf? * How is their Marketing done? * Are Annual Reports posted publicly? What do they mean for your subject?
Publicly Posted Jobs
Analyzing publicly posted jobs will give you a wealth of knowledge about the organization, its technology stack and underlying strategies, as well as its growth. By reviewing a few job posts, you can determine how technologically savvy the organization is, how advanced their internal processes may be, and how the inner business processes may operate at the surface level. This is extremely important; especially once you start engaging in HUMINT operations; you can engage human targets with 'insider' knowledge to aid your social engineering campaigns.
Popular locations to search: Organization's Website, LinkedIn, Indeed, CareerBuilder, Monster, et cetera.
Reviewing civil and criminal records, in addition to news articles may reveal more information around your subject than you could otherwise find out in a short period of time. Legal discovery and attestations given in a court of law can potentially reveal internal strife within an organization, which can and should be used to your advantage.
Remember: It's not always best to act upon information as soon as you get it. Wait for the most opportune time, lest you reveal your hand without knowing your enemies.
Determining which firm, or better yet the individual legal council and aides, can further the long game through social engineering and other means.
This is the more technical portion and starts to stray rather quickly from passive techniques to active. With that said, below is only a light list to get you started, however, remember that being passive is the preferred method of collection until you are ready for moving towards direct action against target(s).
- WHOIS information for domain(s)
- Website review via Google Dorks (filetypes, sub-domains, and sitemap)
- IP Address Range Identification
- Ping Sweeps, Open Ports/Services
- SMTP information
- SaaS / IaaS service providers
Physical locations and assets
Discovering all physical locations owned and operating by your subject is imperative. This will include residences, storage units, vehicles (land, sea, air) and other significant assets. For corporate entities, this will include all primary and secondary business locations, off-site and backup storage, data centers, and other corporate assets that an organization might own, rent, or otherwise occupy.
Metadata to collect:
* Property Owner(s)
* Land and Tax Records * Imagery
When performing discovery on these locations and assets, its recommended to use multiple source for imagery. Google Maps with street and satellite views is decent to get the lay of the land, however, mix it up and use Microsoft's Bing Maps for the Birds Eye View as it may give you better angles, imagery resolution, and potentially better updated satellite imagery. For the level down, research public records to find zoning maps, architectural blueprints and more. Investigate what works best for you.
If your subject is a large corporate entity, your intelligence gathering could (and most likely should) extend into subsidiaries. It's a fine line between collecting more information than you need, however, it's better to have more information than not enough - it's critical to create chronologies and timelines and sort your data based on ranking, scoring, and prioritization.
Next steps: Digital to Physical Collection
Once you've collected remotely (you made a list and double-checked it twice, right?), it's time to conduct surveillance in-person.
To get you started, here are a few things you'll want to consider: * Physical comparison - how does it meet the satellite imagery? * CCTV camera placement and Lighting * Security Guards * Placement * Patrol Paths * Guard 'kit' (armed?) * Badge Usage, Locks and Alarms * Signal emanations (RF, Wireless, other) * Delivery and supply-chain * Foot-traffic patterns (when is it busy?) * Adjacent buildings and FOV * Environmental design * Dumpsters
Once you gather the data needed, you can decide on your plan of action - will your operation continue to be digital, or will you move towards the more physical route? The end goal should be what determine whether you approach from one angle, the other, or somewhere in between. Having collected the information above, you've now narrowed down how to strike, then it's just a matter of when.
The following is a short list of tools and resources that will aid you when conducting digital reconnaissance activities. This is not an exhaustive list, but should be a starting point.: * Maltego * TheHarvester * Fierce2 * NMAP * Google Dorks * ReconNG * Jigsaw * The Wayback Machine (archive.org)
You'll notice a common theme throughout this post; performing digital reconnaissance is just a means to an end, and with effective use of it, you can supplement other offensive operations (HUMINT, PSYOPS, and more).
Important: Remember to exercise OPSEC while performing these activities. Utilize anonymous connection tools such as Tor and VPNs, your browser's private mode (incognito), anonymous pre-paid wireless hotspots, et cetera.
With that, we leave you with some choice quotes from Sun Tzu's Art of War to consider when planning your next op.
Traditionally, exploitation has occurred with tools that drop files onto your target(s), making it much easier to detect and alert upon. Dropping files also makes it easier for IR teams to perform incident response and investigate your activities, let alone reverse engineer your weaponized payloads to determine what you're after and how you're doing it.
A few years ago we've noticed real world attackers moving away from using canned exploits and really diving into the world of what we like to call 'native leverage'. Native leverage is just a fancy way of saying that as an attacker, I'm going to use functionality that's inherent to your system(s) in order to gain more information about you and exploit your weaknesses. Low and behold, Microsoft does a fantastic job at providing this 'functionality' for us.
There are multiple pathways to utilizing PowerShell for exploitation, however, there's a great community behind developing PowerShell scripts and exploitation frameworks dedicated to the concept of native leverage. We personally use a combination of these frameworks that are customized for our needs in addition to our own scripts and tools that we have integrated into our attack platform.
PowerShell Exploitation Frameworks
- PoshSec is an exploitation framework with a GUI that was developed by Ben Ten (Ben0xA). The PoshSec framework is a great tool that can increase the efficiency of your workflow. PoshSec also allows you to add add-on modules such as PoshSec-Mod by Carloz Perez (darkoperator) and others.
- PowerSploit is one of the first projects/frameworks created for exploitation through PowerShell created by Matt Graeber (mattifestation) and is contributed to by numerous members of the community.
- PowerUp is a PowerShell tool for local service enumeration and exploitation. PowerUp was created by Will Schroeder (harmj0y) to automate privilege analysis of Windows services.
- Empire is a natural extension from PowerUp for harmj0y and expands with capabilities and functionality influenced by PowerSploit, Posh-SecMod, and PowerShell-AD-Recon.
- While not strictly a PowerShell exploitation framework, the Veil-Framework is a great collection of tools and scripts that implement attacks with IR evasion in mind. Veil-PowerView is one of the tools included in the framework that interrogates Windows domains to provide situational awareness of the network. PowerView was deprecated and rolled into PowerUp, however, we recommend checking out the Veil-Framework specifically for generating payloads with evasion capabilities and leverage them within your workflow if using Kali Linux.
PowerShell and OPSEC
The benefits of using PowerShell are multiplied when coupling PowerShell exploitation with Cobalt Strike and Beacon's post-exploitation modules. When conducting a digital strike and to provide an extra layer of mis-attrib, we use Beacon's malleable C2 profile abilities with customized profiles to provide the level of uncertainty we aim for when executing against critical targets with a higher degree of technical capabilities. By utilizing a customized C2 profile we can mimic other threat agents by adjusting the 'signature' we leave behind in logs. Doing this is a must and should be carefully researched and planned prior to engaging.
Coming up in the next post, we will take you through getting your environment ready and provide a few examples of using PowerShell for exploitation - stay tuned.
The DigitalOps section is a new section on the blog and one we're looking forward to developing over time. We will be covering topics that will further other activities such as collection and analysis and non-digital exploitation through kinetic or shaping operations such as psyops.
What will be covered in the coming weeks:
- In-depth Analysis of North Koreas custom Red Star OS 3
- Checking for exfiltration possibilities; including in places like China and Iran.
- Primer on conducting Social Media and Open Source Intelligence
- Leveraging PowerShell to execute weaponized payloads remotely
- Digital Reconnaissance and Attack framework and workflow
This is just a taste of things to come - stay tuned.