Ah, Russian espionage. It reminds me of the classic James Bond movies from the 60s:


But that was a different time.

Hoodies have replaced suits. Computers have replaced pistols. Geeks have replaced spies.

And we think for the better.

Hollywood does, too. Let’s not forget who the real star of the show was in Skyfall:


Who is APT28?

Take Q above, make him Russian, and multiply him by a hundred. Now you’ve got APT28, otherwise known as Fancy Bear.

They are a notorious Russian hacking/cyber espionage group. Their victims include a laundry list of Western governments and organizations—from the Democratic National Committee to TV5Monde to NATO.

Are they well-funded? Yes.

Are they talented? Perhaps.

Do they use any highly sophisticated methodologies? No.

How are they so successful then?

It’s because they target an asset that all of these institutions use to manage and share their internal resources: the Active Directory.

But why do attackers care about an internal resource management tool? Isn’t the Active Directory just for IT administrators? Aren’t they more interested in specific computers?

No, they are not interested in specific computers.

They are interested in the Active Directory because it stores ALL of the information about the resources inside the environment: users, servers, computers, groups, and applications. From just one computer connected to the domain, the attackers can freely access this information.

This is the secret that only they know—and they intend to keep it that way.

Attack Methodology

APT28 is not in the business of stealing data for economic gain. Rather, they steal data for political purposes. In this way, they are a cyberespionage group. Their goal is to steal information for political gain.

Initial Infiltration and Privilege Escalation

In order to gain a foothold on the victim’s environment, Fancy Bear leverages various methods:

1. They use specially crafted spear phishing mail for each individual and bait the victim to open the mail.
2. In some of the APT28 cases, there are traces of vulnerability scanners, scanning victim’s internet-facing servers prior to the attack, and then exploiting known vulnerability on that server.
(Usually they will try to find XSS or SQL injection vulnerability or RCE unpatched vulnerability.)
3. Exploiting legitimate websites and spreading their deployer to whoever enters that website (waterhole attack).
4. Registering Domain name similar to known domain names and implementing their deployer inside it.

If necessary, they also have zero-days at their disposal: Adobe 0-Day, Java 0-Day, and MS Office 0-Day. These ensure that, eventually, their malware will be launched on the victim’s endpoint.

Once inside, they launch CORESHELL downloader (updated version of SOURFACE, aka Sofacy), elevate their privileges locally using Windows 0-Day (CVE-2016-7255), and establish a second stage backdoor downloaded from the C2 server.

Quick aside: A key part of any campaign of this nature is persistency inside the environment. This ensures that the attacker only needs to exploit the machine once. After that, he relies on the persistence mechanism to retain control of the environment. Fancy Bear achieves a persistency through registry key modification.

Active Directory Reconnaissance and Lateral Movement

From here, the attackers steal domain credentials using various techniques. Among the tools found on the victim’s networks were custom-made Mimikatz, Keyloggers, and “OLDBAIT”—a unique tool that steals credentials from browsers and mail clients.

Now that they’ve obtained these credentials, which they will use later to access other endpoints, they need to find out who their targets are. Through Active Directory reconnaissance, they discover all of the users, servers, and computers in the network. This “stolen intel” gives them a full view of the victim’s environment, all while acting as a legitimate user.

So they have domain credentials, they know their targets from the Active Directory, now they need to move laterally. Using legitimate services and leveraging pass-the-hash technique with stolen credentials, they infect more endpoints, navigating throughout the domain until reaching their goal.

Data Exfiltration

Inside these endpoints, they are going after everything: data inside mail, documents, and databases. They take anything they can get their (digital) hands on.

To finish the attack, they need to exfiltrate the data. To do this, they transmit the information from the backdoors established earlier (GAMEFISH, EVILTOSS, CHOPSTICK) to their C2 server. Techniques include encrypted messages hidden in HTTP protocol, TOR, victim mail servers, and local copying to bypass air gapped networks (with USB drives).

Modus Operandi

Wrapping Things Up

The core of Fancy Bear’s attacks lies in a 3-part process:

They aren’t the only ones who rely on this process. We’ve shown how Samas utilizes this roadmap to carry out its attack.

What is it about this roadmap that makes it so special? Why do other APTs follow it?

Two reasons: stealth and information.

First, it allows the attackers to remain hidden once inside because they leverage built-in tools using computers connected to the domain. And any computer connected to the domain is trusted by and has access to the Active Directory (AD). So due to this trust relationship, sending a query to the AD will not sound any alarms.

Second, the Active Directory stores all of the organization’s information. It’s the pot of gold for attackers except it’s not found at the end of the rainbow—it’s found right in front of them with no protection. How could such a valuable resource be so vulnerable?

It’s because there is no association between the Active Directory and attackers. The AD is traditionally thought of as a resource management tool. IT professionals associate it with organizational efficiency—and they have been for the past 17 years. But nobody recognizes its security flaws and how integral it is for an attacker’s campaign.

This needs to change. The industry needs to shift their way of thinking and start protecting what attackers are really after: the Active Directory.



[gs_lp_like_post] 0