I just went through the slides of Stefano Maccaglia on his research on APT Group 28. APT28 is also known as ‘Sofacy’ or ‘ Sednit’ and thought to be a Russian (semi) state sponsored group.
Stefano’s sheets are good to read as a write-up of his past and still ongoing research on this topic. The sheets can be found here (note: RSA seem to have removed the sheets from their website,
here is a Google cache version, of course lacking pictures I found a copy on github here).
Here are a few items I think stand out from his slides and can be usable for us red teamers / defenders:
- Once again its spear phishing that give the attackers the initial access.
- The first round of phishing email did not provide much success. Main reason was that outgoing data for some several compromised systems was blocked due to filtering of outgoing data. Ive been saying this for years to my clients: filtering and logging of outgoing data is just as important as incoming.
- Its not entirely clear from the sheets but it seems that external access to email (Microsoft OWA) with some compromised accounts was possible using just username and password. Using this and due to the wonderfully AD-integrated info of OWA the attackers could do some proper internal intelligence gathering and gain info for new phishing attacks.
- This one is important: all servers where properly patched, except one server because of some legacy reasons (don’t you just hate / love exceptions). The patch they were missing was MS14-068: a major issue for AD domains. The bigger issue here that many people forget is that domain segmentation in a larger forest does not isolate domain compromises. In this case the DCs of a sub domain lead to full forest compromise. Ouch. So much effort put into proper patching of 99,9% of the systems, and just one missing patch lead to full forest compromise.
- The defenders made a typical defensive error upon the first recognition of the compromise: they wiped the desktops and reinstalled. Of course the attackers noticed and stayed low for a while (20 days), but still had access via other compromised systems. It was only due to an unrelated investigation that they detected another way that the attackers still had access. Take away: understand your attackers and observe their modus operandi to hit them at the right level in the pyramid of pain. Hard, but so so important.
- Even the real bad guys just loooove mimikatz.
- Log analyses of Windows Active Directory remains a big challenge. You need to dive into tiny details of the logs and make correlations in order to detect lateral movement and some more advanced attacks on AD. Microsoft, please give us a better way of interacting with Windows logs!
- The attackers used Windows mailslot for communication within the network. Mailslot is a form of IPC any modern Windows versions has. Not to be confused with named pipes.
- The APT28 tools used – although some were relatively advanced – follow the same stages of other know malware, namely downloader, persistent access stager, internal info gathering and some modular platform for target specific functionality.
- Stefano tries to coin the term ‘actionable IOCs’. I agree not all IOCs are that usable and I like his term.
Go read the full slide deck of you are more interested in all the details.