CYBER ATTACKS ON GEORGIAN GOVERNMENTAL RESOURCES - Zurab Akhvlediani
- 1. Georgia NATO CYBER ATTACKS ON GEORGIAN GOVERNMENTAL RESOURCES Turkey, Ankara 2012 Zurab Akhvlediani www.dea.gov.ge
- 2. Introduction 2 CERT-Georgia which is Governmental “Computer Emergency Response Team” of Republic of Georgia has Discovered Cyber Attack Incident, which seems to be Cyber Espionage Example. Advanced Malicious Software was Collecting Sensitive, Confidential Information about Georgian and American Security Documents and then uploading it to some of Command and Control Servers. (which changes often upon detection). After investigating Attackers Servers and Malicious Files, we have linked this Cyber Attack to Russian Official Security Agencies.
- 3. Introduction 3 In march, 2011 CERT-GOV-GE have dioscovered Botnet Command & Control Web Server. After Analysing Webserver, Malicious Files and Various Scripts we found out that: 1. Some of the Georgian NEWS sites were Hacked. (The Malicious script was injected only in the pages, where SPECIFIC information was presented) 2. After visiting this pages, Computer was infected with Unknown Malicious Program. (None of Antivirus Product could Identify this threat, by the time of discovery). 3. When executed, Malicious File Fully Controls Infected Computers. 4. Searches for the “Sensitive words” into the Document Files. 5. Makes Video and Audio Capture using built-in microphone.
- 4. 4 Targeted Audience Cyber Attack was designed very smartly. Various Georgian News-Related web-sites were hacked and modified only Specific News pages (eg. NATO delegation Visit in Georgia, US-Georgian Agreements and Meetings, Georgian Military NEWS). www.caucasustimes.com – Site about the NEWS from Caucasian Region www.cei.ge – Caucasus Energy and Infrastructure www.psnews.ge - Georgian NEWS Site
- 5. 1. Example of injected script into the 5 Hacked NEWS website www.psnews.info
- 6. 6 Malicious file was evolving and Develpoed time to time: 30 March, 2011 – Virus Steals Sensitive Docuements, Certificates 14 September 2011 – Changed Infection Mechanism, new Bypassing methods for the (Antivirus/Firewall/IDS) 25 November 2011 – Virus is more encrypted and obfuscated. infects windows 7 Operating System 12 December 2011 – added Video Recording capability, scanning and infecting computers through the Network, changed Spreading vector Command & Control Webserver changes its Destination upon Detection: Hosted on US, German, French, Hungary, Czech and Russian Hosting Providers.
- 7. Infection Vector 7 Encoded shellcode into PHP file
- 8. Downloading Actual Virus File 8 shellcode Downloads either calc.exe file Directly or makes Get request to calc.php to reassemble then to calc.exe (due to firewall ids/ips evasion). Base64 encoded EXE file
- 9. Downloading Malicious File 9 From Russian Website www.rbc.ru - Рос Бизнес Консалтинг
- 10. Infected Computer 10 BOT Not detected with Major Antivirus Product, Bypasses Windows 7 sp1 pathced, with Firewall enabled. As of 25.03.2011, 20.06.2011, 16.01.2012, 25.03.20112 After Executing calc.exe itself does 2 major things: - injecting into iexplorer.exe and communicating to defaced sites, for C&C address retrival - creating usbserv.exe bot file in Application Data directory, and writing it to autorun in Windows Registry.
- 11. Virus Functionalities 11 • Send any file from the local hard drive to the remote server. • Steal certificates • Search the hard drive for Microsoft Word documents • Search the hard drive for remote desktop configuration files • Take screenshots • Record audio using the microphone • Record video using the webcam • Scan the local network to identify other hosts on the same network • Execute arbitrary commands on the infected system The commands are activated manually and were sent to each host individually rather than being broadcast to all infected hosts.
- 13. Destination 13 • In The Final Steps Cyber Attacker Steals Matched files, uploads them to the Server. This server is often bought from various hosting providers and it changes destination country and IP address very often. September, 2010 – georgiaonline.xp3.biz (United States) FreeWebHostingArea.com March, 2011 – ema.gov.ge (Georgia) (hacked webserver) April , 2011 - 178.32.91.70 (France) OVH Hosting June, 2011 - 88.198.240.123 / 88.198.238.55 (Germany) DME Hosting October, 2011 - 94.199.48.104 (Hungary) Net23.hu November. 2011 - 173.212.192.83 ( United States ) December, 2011 - 31.31.75.63 (Czech Republic) January, 2012 - 31.214.140.214 (Germany) DME Hosting March, 2012 – 78.46.145.24 (Germany) DME Hosting
- 14. 14 Unmasking The Cyber Attackers (Counter Cyber-Intelligence) CERT-GOV-GE gained full access to Command & Control servers, Decrypted communication mechanisms and malicious files. After Analyzing all the gathered information we have identified Cyber attacker persons and organizations. In 2011-2012, During This New Cyber Espionage Attack, we have identified Russian Security agencies, ones again. We have found: 3 main facts, which indicate to Russian Official State organizations. Warynews.ru – site used to control infected Georgian computers – IP and DNS servers belonges to Russian Business Network. (mentioned in various Blacklist, Bad Reputation) www.rbc.ru – written directly into MALWARE code, to communicate with Attackers if every communication channel is closed. Official name “Russian Business Consulting” – official website, linked with RBN. Legalcrf.in –Sending Malicious files through SPAM email FROM “admin@President.gov.ge”. Obscure Registrator, Only Discoverable by Indian WHOIS Service, Person - Artur Jafuniaev Address: Lubianka 13, Moscow <- Federal Security Service of the Russian Federation (FSB) information and communication technologies Division
- 15. 15 Unmasking The Cyber Attackers (Counter Cyber-Intelligence) • We have been monitoring Command & Control Server in 24/7 manner and once observed that, attacker ran malicious code in his OWN operating system to check new functions. • Then we have got video of him, personnaly. We have captured process of creating new malicious modules. We have Obtained Russian Document, from email, where he was giving someone instructions how to use this malicious software and how to infect targets. • We have linked him with some of German and Russian hackers. • Then we have Obtained information about his destination City, Internet Service Provider, Email and etc.
- 16. 16 Responding Steps 1) CERT Georgia gained access to Command and Controlling Servers which were run by the attacker. 2) We have identified all of the Infected computers destinated in Georgia. Then contacted Govermental agencies, gave them necessary information how to respond to this incident and helped them to disinfect machines. 3) Also CERT-GOV-GE collaborated with US-CERT, Bundes-CERT-Germany, CERT-Ukraine, Microsoft Security Divisions, ESET, various hosting Providers. (To shut down attacking servers and obtain data for further forensic analysis).
- 17. Q/A 17 Contact Information: The Ministry of Justice Data Exchange Agency Tbilisi, Georgia 0102 Tsminda Nikolozis/Nino Chxeizis St. N2 Phone: +995 (32) 2 91 51 40 E-mail: info@dea.gov.ge zakhvlediani@dea.gov.ge
Editor's Notes
- #3: Attack was discovered by CERT-Georgia.
- #5: *Only the persons who was interested in such information were infected with this Advanced Threat, despite of Security Defensive measure’s and Softwares used on targets Computer and Network Systems. Threat was highly encrypted and used contemporary stealthy techniques, so that none of security tools could indetify it.