###### FireEye Intelligence: Threat Landscape Overview Manish Gupta, Senior Vice President of Products ----- ###### Agenda ###### How FireEye Defines the Threat Landscape Intelligence Update for Europe ----- ###### Threat Actor Categories **Nuisance** **Data Theft** **Cyber Crime** **Hacktivism** **Network** **Attack** Advanced Website **Example** Botnets & Spam Credit Card Theft Persistent Threat Defacements Destroy Critical Infrastructure **Targeted** ####      **Character** Automated Persistent Opportunistic Conspicuous Conflict Driven ----- ##### APT Actors & Tactics ##### APT Actors & Tactics ###### THEY ARE PROFESSIONAL, IF YOU KICK IT’S A “WHO,” ORGANIZED THEM OUT THEY NOT A “WHAT” AND WELL WILL RETURN FUNDED THERE’S A HUMAN AT NATION-STATE THEY HAVE SPECIFIC THE KEYBOARD SPONSORED OBJECTIVES HIGHLY TAILORED ESCALATE THEIR GOAL IS LONG- AND CUSTOMIZED SOPHISTICATION OF TERM OCCUPATION ATTACKS TACTICS AS NEEDED PERSISTENCE TOOLS TARGETED RELENTLESSLY ENSURE ONGOING SPECIFICALLY AT FOCUSED ON THEIR ACCESS ----- ###### What APT Malware is Prevalent in Europe? Other 46% ### Europe Xtreme RAT 15% Kaba (SOGU) 11% WITCH COVEN 11% Exploit Docume MoleRA Safebet Ts nts 3% ######  Kaba/SOGU used by many different Chinese threat groups  WITCHCOVEN is a profiling script used by APT groups  MoleRATs used by Middle Eastern threat groups MoleRA ----- ###### Europe in Context Foreign Issues Are Domestic Concerns: - Responding to Russian aggression - Migrant Crisis - Concerns over extremism - Economic stability & energy security ###### Activity From a Range of Groups – Intelligence Services - both allies and rivals – Non-state actors engaging in their own operations – Espionage, hacktivism, and the threat of computer network attack ###### The threat landscape in Europe reflects a mix of ----- ###### Russian Threat Activity  Long History of Information Warfare - Broader meaning: cyber, electronic warfare, information operations - Established cyber program: uses in both peace and war ######  Involvement of Military and Intelligence Units - Russian Ministry of Defense Cyber Command ######  Focus on secrecy and operational security - Stealthy programs and doctrine - Possible use of criminal groups and hacktivists ######  Employment for… - Espionage - Support military operations - Influence through media and other “information” means ###### Long History of Information Warfare - Broader meaning: cyber, electronic warfare, information operations - Established cyber program: uses in both peace and war ###### Involvement of Military and Intelligence Units - Russian Ministry of Defense Cyber Command ###### Focus on secrecy and operational security - Stealthy programs and doctrine - Possible use of criminal groups and hacktivists ###### Employment for… - Espionage - Support military operations - Influence through media and other “information” means ----- ######  Espionage - APT28 - Targeting think tanks, media, regime critics; iOS malware - APT29 - Targeting US, European govts & policymakers ######  Disruptive Activity Supporting Military Operations - Estonia, Georgia, Ukraine ######  Reflections of Activity? - Agent.BTZ / Snake / Turla / Uroburos - COZYCAR - Havex/Fertger - MiniDuke - BlackEnergy against ICS ######  Attribution Challenges - RU Govt vs. RU Actor - Smoke and mirrors ----- ###### Chinese Threat Activity  Cyber Activity Mirrors State Interests Current Five-Year Plan **_Priorities_** **Agricultural Technology** ###### • Protect Supremacy of Chinese Communist Party Food and Beverage • Build economy, society, and military Creative Industries • 2050: Become a world-class power Specialized Manufacturing **Biotech/Health Sciences** **Energy Industry** **IT and Communications** ######  Groups We Track • Over two dozen groups • Some active for periods of 10 years or longer • Comprised of military and likely state security units • At least 3 groups are contractors • Targets • Massive, worldwide scale • All sectors: Government, Industry, Non Profit ###### Cyber Activity Mirrors State Interests Protect Supremacy of Chinese Communist Party Build economy, society, and military 2050: Become a world-class power Over two dozen groups Some active for periods of 10 years or longer Comprised of military and likely state security units At least 3 groups are contractors Massive, worldwide scale All sectors: Government, Industry, Non Profit ----- ###### New Trends Through 2014  Adapted Social Engineering - Use of social media to interact with targets and develop trust before deploying a payload ######  Alternations to Malware - UDP backdoor - Encryption and modularity - Memory only malware - C2 leverages DNS hijacking of legitimate domains ######  Data Theft via DropBox to Blend in with Legitimate Traffic  Use of profiling scripts  Healthcare Breaches, Office of Personnel Management, PII Theft  Ties Between China-based APT Groups and DDoS Attacks? ----- ###### Other State Espionage Involving Europe  France - Babar, Casper, Bunny - Greece, Spain, Syria ######  UK - Regin - Telecommunications, researchers focusing on advanced mathematics and cryptology - Belgium, Germany, Algeria, Iran, Syria, Russia, Pakistan, others ######  US - Equation Group - Financial institutions, Islamic scholars, and other victims G S it l d F B l i th UK d l h ----- ###### Hacktivists & the CyberCaliphate  Hacktivists allegedly target French websites post-Paris siege - ~ 20,000 sites affected - Distributed denial of service attacks, defacements - French military official attributes to “well-known Islamist hackers”  “CyberCaliphate” targets TV5 Monde - Apparent escalation in tactics - Disrupts programming on 11 channels - Defaces website and social media accounts - Claims to act in support of ISIS – no firm attribution or ties to ISIS ----- ###### Threats to the European Energy Sector: ICS Malware ## Havex # BlackEnergy ###### ( aka Fertger / PEACEPIPE / “DragonFly” / “Energetic Bear”) ICS Variant (aka “Quedagh Group” / “SandWorm”) – Detected in Middle East networks in 2014 – Targets ICS Software – Compromise via spear phish or SWC – Associated activity leveraged – Targets are diverse: wide, multi-sector BlackEnergy to compromise targeting NATO, Ukrainian targets – Motivation somewhat unclear » Espionage / intelligence collection » Oil/gas: pricing data, negotiation positions? » Business operations » Possible disruptive ambitions? ----- ###### THANK YOU -----