DZone
Thanks for visiting DZone today,
Edit Profile
  • Manage Email Subscriptions
  • How to Post to DZone
  • Article Submission Guidelines
Sign Out View Profile
  • Post an Article
  • Manage My Drafts
Over 2 million developers have joined DZone.
Log In / Join
Refcards Trend Reports Events Over 2 million developers have joined DZone. Join Today! Thanks for visiting DZone today,
Edit Profile Manage Email Subscriptions Moderation Admin Console How to Post to DZone Article Submission Guidelines
View Profile
Sign Out
Refcards
Trend Reports
Events
Zones
Culture and Methodologies Agile Career Development Methodologies Team Management
Data Engineering AI/ML Big Data Data Databases IoT
Software Design and Architecture Cloud Architecture Containers Integration Microservices Performance Security
Coding Frameworks Java JavaScript Languages Tools
Testing, Deployment, and Maintenance Deployment DevOps and CI/CD Maintenance Monitoring and Observability Testing, Tools, and Frameworks
Culture and Methodologies
Agile Career Development Methodologies Team Management
Data Engineering
AI/ML Big Data Data Databases IoT
Software Design and Architecture
Cloud Architecture Containers Integration Microservices Performance Security
Coding
Frameworks Java JavaScript Languages Tools
Testing, Deployment, and Maintenance
Deployment DevOps and CI/CD Maintenance Monitoring and Observability Testing, Tools, and Frameworks
Join us tomorrow at 1 PM EST: "3-Step Approach to Comprehensive Runtime Application Security"
Save your seat

USCYBERCOM v. the Internet Research Agency

This time, USCYBERCOM wanted to be caught.

Christopher Lamb user avatar by
Christopher Lamb
CORE ·
Mar. 06, 19 · Analysis
Like (1)
Save
Tweet
Share
3.90K Views

Join the DZone community and get the full member experience.

Join For Free

Some details have emerged regarding the recently reported attacks on the Internet Research Agency (recently renamed the Federal News Agency). Keep in mind, these details were reported by FAN itself.

FAN reported that the initial intrusions were via a poisoned word document and an iPhone 7+. The end result of the operation, apparently, was the destruction of a raid controller at a central server in FAN headquarters and reformatting of server systems co-located at facilities in Sweden and Estonia.

Now, keep in mind, there is only one source reporting these details — FAN itself. And the original article outlining the attack, written in Russian, is just a bit heavy on the propaganda angle. It doesn't cover any significant details regarding command and control infrastructure, or implants used, or really anything of any technical detail. This, of course, doesn't mean that Russian authorities don't have samples, but it does make the article a bit less interesting to read, unfortunately.

But not all is lost! They do have some information on the initial footholds. First, the weaponized word document was a typical phishing lure with information of interest to the target. The email itself wasn't published, but it does seem like a reasonably sophisticated spear phishing attack, as it spoofed the email address of a FAN employee as the originator. After the document was opened, it installed a rootkit on the attacked system. It does seem that the rootkit was able to establish a connection to some C&C server somewhere, but the contents of that communication weren't reported. Furthermore, the compromised system couldn't be used to pivot to other internal infrastructure either as the network it was on was partitioned from the primary internal FAN LAN.

The iPhone 7+ attack is much more interesting. While the first system was compromised via a traditional spearphishing attack, the iPhone attack was much more sophisticated. FAN doesn't mention the version of iOS that the iPhone was running, but they do roughly cover the process of compromise. Apparently, the iPhone was attached to a Windows computer (again, the specific version of Windows isn't mentioned). When attached via a USB cable, iTunes automatically popped up and did the usual iTunes things, as well as apparently downloading a rootkit. After the rootkit was installed, the computer was completely compromised and provided full access to the internal LAN. They also mention that Amazon was the C&C endpoint, which is entirely possible. It seems that USCYBERCOM would want more anonymity. But perhaps, with routing C&C traffic through fast-flux networks and external foreign ISPs, there's really no need. I expect that they wanted people to know who did this, first, and second, it's not like they're breaking any laws. Well, in the US at least. So why bother with a bunch of fancy C&C obsfuscation?

The iTunes attack vector is interesting simply because I haven't seen that one before. I also wonder how the iPhone was originally compromised. iPhone exploits are expensive on the open market after all — as of January of this year, the going price for remote exploits was $2 million. Yes, that's right. And that's what the researchers get paid — you can bet buyers are paying at least double that.

Now, that said, they don't identify the employee that owned the phone, but they do describe an apparent detention of an editor, which could very well been used as an opportunity to install an implant on the iPhone, if the editor was, in fact, the employee that owned the compromised phone.

Interesting TPPs, no doubt! I expect that we'll see more sophisticated attacks in the future though. This time, USCYBERCOM wanted to be caught. Next time, well, I wouldn't count on it.

Internet Research (journal) Internet (web browser)

Opinions expressed by DZone contributors are their own.

Popular on DZone

  • Last Chance To Take the DZone 2023 DevOps Survey and Win $250! [Closes on 1/25 at 8 AM]
  • How To Validate Three Common Document Types in Python
  • Best Practices for Writing Clean and Maintainable Code
  • 2023 Software Testing Trends: A Look Ahead at the Industry's Future

Comments

Partner Resources

X

ABOUT US

  • About DZone
  • Send feedback
  • Careers
  • Sitemap

ADVERTISE

  • Advertise with DZone

CONTRIBUTE ON DZONE

  • Article Submission Guidelines
  • Become a Contributor
  • Visit the Writers' Zone

LEGAL

  • Terms of Service
  • Privacy Policy

CONTACT US

  • 600 Park Offices Drive
  • Suite 300
  • Durham, NC 27709
  • support@dzone.com
  • +1 (919) 678-0300

Let's be friends: