Anastasia Tikhonova: “We are very lucky that the APT attacks have not yet resulted in mass casualties”





We have a new project: starting with this post, we will acquaint you with the professions and leading specialists of Group-IB, tell you about their work, research and cases, how and where you can get training and, of course, provide a link to current vacancies. The first guest is Anastasia Tikhonova , we give her interviews in a direct speech and, as they say, without cuts.

:

: .

: Threat Intelligence Group-IB.

: Threat Intelligence & Attribution Analyst.

: 29 .

: .

: 9 , (APT).


: APT, ,



- development of new digital weapons, exploitation of zero-day vulnerabilities, testing of new means of delivery and distribution of malicious programs. China, North Korea, the United States, Iran have their own cyber armies, and Turkey, India, Kazakhstan, and the countries of South America have joined this race. For more than three years, since 2017, I have been studying APT (Advanced Persistent Threat) - complex targeted threats, attacks by special services or, as they are also called, pro-government hacker groups, and I see 4-5 new groups appear every year. There are now more than 70 groups operating in the world, not counting those who temporarily “lay low” or those who are still operating in secret. Most APTs target cyber espionage, less sabotage and sabotage. Although there are exceptions in the face of the North Korean group Lazarus and numerous Chinese APTs that attack cryptocurrency exchanges,banks and game developers to make money.



Pro-government groups are not necessarily “hackers in uniform” who work from a conventional bunker from 9.00 to 18.00. These can be specialists who are used "in the dark", or even cyber-patriots who commit crimes out of love for their homeland (there are some!), Or professional mercenaries - hackers on a "salary". We do not have receipts or statements of how much they are paid (and whether they are paid at all), but I think that it is higher than in the market. Because they have a rather specific job. And the risks are appropriate.



Any cyber attack, regardless of the motive pursued by hackers, is a crime and a violation of the law.The recent attack in Miami (Florida) on the control system of a water treatment system is a story with a remote access to a computer. TeamViewer was installed on the machine so that employees could control something remotely. The account was password-protected, but the attacker was able to guess the password. He logged in twice and the second time changed the quantitative ratio of sodium hydroxide in the interface settings to one that could potentially cause significant harm to human health. An employee of the company, seeing this, immediately changed the settings back to secure. And this is not a plot from a cyberpunk TV series. The year before last, North Korean hackers succeeded in stopping power units at the Kudankulam nuclear power plant in India, presumably compromising the workstation of a rather high-level employee.In 2020, Israel's attackers also managed to gain access to water purification systems and even remotely tried to change the chlorine level, which would have triggered a wave of poisoning. We are very fortunate that the APT attacks have not yet resulted in massive loss of life.



APT- - the tactics and procedures they use in their attacks are also adopted by ordinary cybercriminals. For example, after the use of ransomware WannaCry, BadRabbit and NotPetya by pro-state groups in 2017, a real epidemic of ransomware criminal attacks swept the world - with their help, you can earn no less than in the case of a successful attack on a bank, despite the fact that the technical execution and cost of the attack is much simpler ... Even such “classic” financially motivated criminal groups as Cobalt and Silence, which used to attack banks to steal and withdraw money, switched to using ransomware and became members of private partnership programs. According to our estimates, the damage from ransomware attacks - and there were about 2,000 of them - last year amounted to at least $ 1 billion. And this is according to the most conservative estimates.



: Threat Intelligence



, . As a child, I wanted to become a police officer. And in the 10th grade I tried to enter the FSB Academy - I come from a family of military personnel. Before Group-IB, I worked for a year in an anti-virus company, and already there I often noticed news about Group-IB in the press: they released a new study, conducted an investigation, participated in the arrest. At that time, there were very few players on the market of information security companies, and even then Group-IB stood out for its intolerance to cybercrime, its stake on technology, and it became interesting to me to find out what opportunities for development there were. When I joined Group-IB in 2013, our Threat Intelligence department was simply called the analytics department, and we were engaged in completely different issues: from researching hacktivists to helping the department of investigations identify hackers and establish their identities.In seven years, our three-person department has grown into a Cyber ​​Intelligence department with over thirty employees.



Cyber ​​intelligence is different. Nowadays, Threat Intelligence and the TI tool market often boil down to sending customers banal “black lists” - a list of “bad” addresses, “bad” domains. For us, at Group-IB, Threat Intelligence & Attribution is knowledge about attackers; it is no longer enough for us to simply analyze threats. As our CTO Dima Volkov says, when you are faced with a real threat̆, you need an answer to one of the important questions: who is attacking you and with what help? In addition to this data, we give our clients the tools to work and provide our own service, which shifts some of the active tasks onto the shoulders of our specialists who already have the necessary experience and skills. Much is now done for us by machine intelligence and automated systems. But this does not negate the "delicate manual work".



One of my first big studies was on attacks on Russia by hackers who support ISIS. Forbes wrote about this then : “Islamist hackers from the Global Islamic Caliphate, Team System Dz, FallaGa Team groups attacked about 600 Russian websites of state agencies and private companies.” At that time, we still had semi-manual access to the underground: I went to hacker forums, registered, collected various useful information and data for cyber intelligence (Threat Intelligence), and based on them I made reports for our clients. At some point, it just got boring for me to be engaged in the underground, I wanted more difficult tasks, and my leader, Dmitry Volkov, CTO Group-IB, suggested doing a research about one of the Chinese APTs. Since this all started.







In my work, you need to quickly move your brains, hands ... and generally move. In one day, we can have a study of attacks by pro-government groups from China, then you see how the trigger for the Nigerian detection rule flew in (there was recently a joint operation with Interpol), and by the evening it turns out that someone has a DDOS client from the name of Russian hackers ...



A girl in infobez? Well, yes, so what? I hate such questions. As the saying goes, "talent has no gender". It doesn't matter what gender you are, you can be an excellent analyst, resercher, or you may not be.



Work as it is: a little bit of inner work



My typical day starts with a cup of coffee and twitter. I have a good subscription base - there are researchers and journalists, who I am subscribed to and who subscribed to me. In this social network, infobez exchanges data on various attacks, vendor reports. For example, the Korean company ESRC is doing very interesting investigations now. I am also subscribed to a couple of specialized telegram channels via APT. Here the community works very clearly: if one researcher found the management server of a hacker group and dropped the data into the telegram channel, they help him to investigate and throw off information on this case. Any thrown-in topic about APT usually quickly becomes overgrown with interesting details, but interest in cyber-edge and phishing is not so high. Well, maybe with the exception of the popular ransomware.



Work on any case begins with analytics. As a rule, before I start a research project, I already have a pool of information: both ours and someone else's (from other vendors or analysts). I start to spin up the identified indicators: hashes of trojans, malicious documents, domains, links, and so on, that were used, and I am testing all this for the possibility of supplementing these indicators with our data that no one else has seen, this often happens. My working tools - our Threat Intelligence & Attribution developments, Group-IB network graph - use them to quickly find additional indicators of compromise and send them as an alert to the client. This gives customers the ability to prevent an attack and block unwanted activity.





In the photo: an example of researching a group's infrastructure using the Group-IB network graph





We have historical connections between groups and hackers in the community, data from cybercriminals over several years. This is valuable data - mail, phones, instant messengers, a database of domains and IP, data related to malicious programs. For example, the Group-IB TI&A database contains all domains ever used by cybercriminals with a 17-year history of their changes. We can talk about the specifics, "handwriting" of each individual criminal group. We know that one group uses the same servers, or registers domain names with two favorite providers. We load all this data into the External Threat Hunting of the Group-IB system and get what can now be called effective threat hunting at the output.



, , .It so happens that you sit for a long time, monitor a character, try to find some additional accounts and cannot find .... And then suddenly you see that he indicated his personal mail on a screenshot posted on the Internet or an old photograph. We have to dig deeper, deeper analysis. You are already starting to look for additional accounts, people who could interact with him, if you calculate a specific city, you already get more information, sometimes it happens that you already know the street. What could be a clue? It can be a photo from social networks, or a photo on the Instagram of his girlfriend, there is no girl - look in the tinder, and so on - in other words OSINT, open source intelligence. All technical divisions of Group-IB possess this tool, but each has its own OSINT.



We are being investigated too.Do you think we, Group-IB, did not try to attack? We are confronting the real cybercrime, they are trying to threaten us, they sent "greetings". Not like Krebs, of course, other greetings, more often from malware.



Ultimately, all of my analytics is needed to prevent cybercrime. This sounds like science fiction, but we can predict attacks even before hackers and APTs do them. Even at the stage of preparing the infrastructure, we identify attacks and warn customers. In addition, Threat Intelligence & Attribution data is enriched with information from darkweb, from underground hacker forums and is used in our other solutions, allowing analysts to see the most complete picture of threats and attribute criminal activity with the utmost accuracy.







From Korea to Karelia: the APT landscape



APT, “ ” — — .I “like” their approach - they are thoughtful and non-standard approach to their work. For example, at the stage of exploration and penetration, they conduct super-real interviews with "candidates", play for a long time, without arousing suspicion. Plus they do have interesting tools that they are constantly developing. Initially, they began with the classic cyber espionage against South Korea and the United States, over time they became universal soldiers capable of stealing money, valuable information or sabotage. From year to year, North Korean groups such as Lazarus and Kimsuky show steady development in their attack methods and their tools. Last year, a large number of attacks by North Korean hackers targeted military contractors around the world. Kommersant wrote about this, maybe you read such a press :)



In North Korea, in my opinion, there is a large "root" group - Lazarus , which has different teams under its command, for example, Andariel, to solve various non-core tasks. By the way, both names of these North Korean APTs are taken by researchers from the popular computer game "Diablo".



In Iran, the recruitment of employees into APT groups takes place right from the student's bench.Once we published an article on Habré about Iranian hackers, where the name and surname of one of the defendants was written in the documents. At first we doubted - you never know whose name is inscribed. However, it turned out that once upon a time his mail was exposed on hacker resources, which interested us quite a lot. Having unraveled all this, we found a lot of different accounts on forums that are dedicated to learning how to exploit vulnerabilities, which convinced us even more that it was this very man, "blacher", who was hacking. When we published our findings, he wrote on Twitter in the following spirit: “Why do you just accuse people, you never know, a person could be set up, or he stumbled?”. After some time, he himself deleted this message: it denounced him headlong.



We don't hear about American APTs, but that doesn't mean they don't exist. There are American bands, but there is almost nothing about them. Why do you need a lot of small APT groups if you have one well-organized one that works on tasks and spies on others? A rhetorical question. In the United States, everything is closely related to the NSA, that is, they have, I would say, a rather large network with these 0-day and other vulnerabilities and tools. What WikiLeaks has posted is a small part of what the NSA has.



“Russian hackers” who work for the state are now a very fashionable and hype topic in the West.Hacker attacks in the press are often linked to a particular country based on the tense political situation - Russia vs USA, Israel vs Iran, North Korea vs South Korea, and not on the basis of real technical data that unequivocally indicate a particular grouping. Let's not forget that groups often use false flags and try to obfuscate the tracks. For example, this is what Lazarus did. In general, a "Russian hacker" is something from the late 90s. There are no “Russians”, there are “Russian-speaking” - people from the post-secular countries. And “Russian hackers are the coolest” is no longer the case: the groups are mixed and consist of people of different nationalities.







Don't think that everything is simple.APTs often try to obfuscate the tracks, throw out false flags and "turn arrows" on top of each other. The same Iranian MuddyWater started out trying to imitate Fin7. If, as in the case of Lazarus, you go to specific IP addresses that belong to North Korea, then after that you can make a statement that this is North Korea. And this is what some vendors do. Otherwise, you can only look at the targets that were attacked, look at the infrastructure where it was taken from, and in the manner of some comments in writing the code, and so on. If there was an attack in the South China Sea, you can assume that countries with interests in this region are involved. And then you already start to figure out what kind of tools were used: since this is a PlugX Trojan, then most likely it is definitely China. And then we get to the infrastructure, it turns outthat these are, indeed, Chinese IP addresses.



Mastery Secrets and List of Leveling Books



There is no ceiling in your own self-development. I would like to work in Europe and Asia, because there would be more chances to exchange experience with other information security specialists, you begin to understand the mentality and better imagine how APT could work specifically in this region. I think it will be easy to do. The year before last, Group-IB opened its global headquarters in Singapore, and last year, its European headquarters in Amsterdam. As the tools evolve, and the APT groups will never disappear, I will always have work. Moreover, my profession will be in demand.



We are all super-multitasking:often you have to take a lot of data from different sources, analyze it, and this is a painstaking process. Therefore, for a beginner, several qualities are important: curiosity, perseverance. We need to keep abreast of all political news, on all types of attacks, to monitor the emergence of new types of attacks or vulnerabilities. In most cases, we take people with a specialized education in information security, but since my case is not one of these, it is possible to gain experience on the spot. That is, if you are an interested person, used to get to the bottom of the matter, you have knowledge in IT (you still have to have knowledge in IT) then, in principle, you can get a junior analyst, and already experience development in this area. The main thing is dedication and desire to develop.



In order to immerse yourself in the profession or level up as a Threat Intelligence analyst, I recommend this small list of references:



  1. Timeless classic from CIA veteran Richards Heuer "Psychology of Intelligence Analysis" , which describes the peculiarities of our thinking, errors and limitations (cognitive biases) that our brains generate. For example, recognizing an unexpected phenomenon requires more unambiguous information than what is expected: "We tend to perceive what we expect to perceive."
  2. The basic principles and concepts of Cyber ​​Threat Intelligence can be found in Threat Intelligence: Collecting, Analysing, Evaluating by David Chismon, Martyn Ruks from MWR InfoSecurity .
  3. , Cyber Threat Intelligence, APT, «Attribution of Advanced Persistent Threats: How to Identify the Actors Behind Cyber-Espionage by Timo Steffens». , , .
  4. Kill Chain, Diamond Model MITRE ATT&CK — , Cyber Threat Intelligence, : „MITRE ATT&CK: Design and Philosophy , ATT&CK, . MITRE ATT&CK, .
  5. Intelligence-Driven Computer Network Defense Informed by Analysis of Adversary Campaigns and Intrusion Kill Chains by Eric Hutchins, Michael Cloppert, and Rohan Amin — Kill Chain, , .
  6. The Diamond Model of Intrusion Analysis by Sergio Caltagirone, Andrew Pendergast, and Chris Betz — , CTI.
  7. , , APTNotes. , , , , , , .
  8. , —


Threat Intelligence & Attribution Analyst?







For those who are interested in the Threat Intelligence & Attribution Analyst profession, our company is ready to offer a practical course on collecting information about cyber threats and enriching cyber security processes with TI data for effective incident response and threat monitoring.



The goal of the Group-IB Threat Intelligence & Attribution Analyst course is to teach you how to collect meaningful information from different types of sources - both open and closed - to interpret this information and identify signs of preparation for an attack. The program includes hands-on exercises based on case studies from the Group-IB Cyber ​​Intelligence Department. This approach is important so that students can immediately apply the knowledge gained in their daily practice.



A job that makes sense!



And one more important announcement. Group-IB strengthens its technical team: become part of the team and change the world with us! Currently, 120+ vacancies are open, including 60 for technical specialists. Details here . Group-IB is the next generation of engineers. We embody bold ideas, creating innovative technologies for investigating cybercrimes, preventing cyber attacks, tracking attackers, their tactics, tools and infrastructure.



Join us!



All Articles