# When Governments Attack! ###### Eva Galperin / Global Policy Analyst / eva@eff.org Cooper Quintin / Staff Technologist / cooperq@eff org ----- # Whois? ###### Eva Galperin Cooper Quintin Morgan Marquis-Boire Claudio Guarnieri ----- # What is EFF? ----- ###### “What Binge On does, it includes a proprietary technology and what the technology does is not only detect the video stream but select the appropriate bit rate to optimize to the video, the mobile device. That’s part A of my answer. Part B of my answer is, who the fuck are you, anyway, EFF? Why are you stirring up so much trouble, and who pays you?” - John Legere ----- ### Q: Who the Fuck are you, anyway, EFF? ----- # Legal Work ----- ----- #### Q: Why are you stirring up so much trouble? ----- # Activism ----- # International Work ----- # Technology ----- # Q: Who pays you? ----- # Targeted Attacks ----- ----- # Ethiopia ----- # Iran ----- ## Pawn Storm / FancyBear / APT28 ----- ###### Nobody Cares About Kazakhstan # Operation Manul ----- ###### Kazakhstan is here! ----- ----- ----- ----- ----- ----- ## KZ! ----- ## KZ! ----- ----- ----- ###### NO DOGS WERE HARMED IN THE MAKING OF THIS TALK. WE LOVE DOGS. PLEASE ENJOY THIS UNICORN PICTURE. ----- ----- ----- ----- ----- #### I got a letter from the government the other day... ----- ----- ----- ###### Mukhtar Ablyazov ----- # Unveiling Operation Manul ----- ----- # JRat / Jacksbot ----- # JRat / Jacksbot ##### • Java Based • Multi Platform ###### – Win, Mac, Linux, Solaris, *BSD ##### • Plugin Architecture and API • Cheap! ----- # JRat / Jacksbot ----- # JRat / Jacksbot ----- # JRat / Jacksbot ----- # JRat / Jacksbot - Other Features ##### • Process List • Remote Shell • Chat • Edit Registry • Manage Remote Filesystem ----- # JRat / Jacksbot - Plugins ##### • Turn on remote webcam • Disable webcam indicator light • Password Recovery • Keylogger • Reverse SOCKS Proxy • Roll Your Own... ----- # JRat / Jacksbot - Anti Analysis ##### • Bytecode obfuscated with Zendix Klass Master • Encrypted config file • Decryption key hidden in zip file metadata • Detect Virtualization ----- # Bandook ###### • Another off the shelf, commodity RAT • Continuously developed over a number of years • Only targets Windows • Modular: – Start shell, record sound, record video, keylogger, take screenshots, etc. etc. ----- # C&C Servers ##### Axroot.com, Adobeair.net, kaliex.net… • Windows servers, running XAMPP • Do not appear to be shared hosts ###### – Not many domains / shared document root ##### • But they are not sitting idle! ###### – Many open ports and many open directories ----- # C&C Servers ##### Axroot.com, Adobeair.net, kaliex.net… • Windows servers, running XAMPP • Do not appear to be shared hosts ###### – Not many domains / shared document root ##### • But they are not sitting idle! ###### – Many open ports and many open directories ----- # Other Targets ----- # Other Targets ----- # Attribution Is Hard ----- # Links to Kazakhstan ##### • Common thread between targets ###### – Legal disputes against KZ government ##### • Phishing at private email address ###### – Subpoenaed by Kazakhstan ##### • Arcanum Global Intelligence ###### – Cyber Intelligence Operations – Hired by KZ to gather intel on Ablyazov family ----- ----- # Links Between Operation Manul and Appin ##### • Overlapping domains with hangover, including appinsecurity.com • Alleged use of Hackback trojan / similar to trojan used in Oslo ###### – Unable to verify this ----- ----- ----- # Other Considerations ----- ----- ----- ----- ##### It doesn’t need to be sophisticated to work. ----- # We could(n’t) be heroes ----- # What do we do? ###### • Outreach community relations/trust building • Incident response malware analysis /forensics/threat intel • Education training/IT support/help desk • Policy research legal/law enforcement • Advocacy awareness/policy change • Follow up with other affected parties ----- # What do we do? ###### • Outreach community relations/trust building • Incident response malware analysis /forensics/threat intel • Education training/IT support/help desk • Policy research legal/law enforcement • Advocacy awareness/policy change • Follow up with other affected parties ----- # What is to be done? ----- # What industry can do ##### • Anti-virus state sponsored warnings • Better state-sponsored warnings ----- # What you can do ----- ----- # Pick a cause you care about ----- # What Else Can You Do? ##### • If you have research related to the actors behind Operation Manul publish it, or send it to us! • Donate to EFF! ----- # Takeaways ###### • None of this research is “sexy”. The tools and the actors aren’t sophisticated. • Attacks don’t need to be sophisticated to work. • But it’s not every day that malware research can prevent people from getting kidnapped or killed, and expose state crimes. ----- # Acknowledgements ###### • Huge thanks to our fellow researchers: Morgan Marquis- Boire and Claudio Guarnieri. • Operation Hangover: Snorre Fagerland, Morten Kråkvik, Jonathan Camp, Ned Moran. • Hex-Rays, Joe Sandbox, Virus Total, Passive Total for donation of their services and software. • Additionally we’d like to thank David Greene, Jamie Lee Williams, Meghan Fenzel, Nate Cardozo, Kurt Opsahl, Soraya Okuda, and Marion Marschalek, for their patience, ----- # Further Reading [Operation Hangover: http://enterprise-manage.norman.c.bitbit.net/resources/files/Unveiling_an_India…](http://enterprise-manage.norman.c.bitbit.net/resources/files/Unveiling_an_Indian_Cyberattack_Infrastructure.pdf) [Oslo Freedom Forum: https://www.f-secure.com/weblog/archives/00002554.html](https://www.f-secure.com/weblog/archives/00002554.html) [Iran 2FA Spearphishing: https://citizenlab.org/2015/08/iran_two_factor_phishing/](https://citizenlab.org/2015/08/iran_two_factor_phishing/) [Pawn Storm EFF Report: https://www.eff.org/deeplinks/2015/08/new-spear-phishing….](https://www.eff.org/deeplinks/2015/08/new-spear-phishing-campaign-pretends-be-eff) [Wassenaar: https://www.eff.org/deeplinks/2015/05/we-must-fight-proposed-us-wassenaar-impl….](https://www.eff.org/deeplinks/2015/05/we-must-fight-proposed-us-wassenaar-implementation) [Kidane V. Ethiopia: https://www.eff.org/cases/kidane-v-ethiopia](https://www.eff.org/cases/kidane-v-ethiopia) [Ethiopia and FinFisher: https://citizenlab.org/2013/03/you-only-click-twice-finfishers-global...](https://citizenlab.org/2013/03/you-only-click-twice-finfishers-global-proliferation-2/) [Human Rights Watch Report on Kazakhstan: https://www.hrw.org/world-report/2015/country-](https://www.hrw.org/world-report/2015/country-chapters/kazakhstan) [chapters/kazakhstan](https://www.hrw.org/world-report/2015/country-chapters/kazakhstan) -----